Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-23634 (GCVE-0-2022-23634)
Vulnerability from cvelistv5 – Published: 2022-02-11 21:40 – Updated: 2025-04-23 19:05
VLAI?
EPSS
Title
Information Exposure when using Puma with Rails
Summary
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://github.com/puma/puma/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/puma/puma/commit/b70f451fe8abc… | x_refsource_MISC |
| https://github.com/advisories/GHSA-rmj8-8hhh-gv5h | x_refsource_MISC |
| https://github.com/advisories/GHSA-wh98-p28r-vrc9 | x_refsource_MISC |
| https://groups.google.com/g/ruby-security-ann/c/F… | x_refsource_MISC |
| https://www.debian.org/security/2022/dsa-5146 | vendor-advisoryx_refsource_DEBIAN |
| https://lists.debian.org/debian-lts-announce/2022… | mailing-listx_refsource_MLIST |
| https://security.gentoo.org/glsa/202208-28 | vendor-advisoryx_refsource_GENTOO |
| https://lists.debian.org/debian-lts-announce/2022… | mailing-listx_refsource_MLIST |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"name": "DSA-5146",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"name": "GLSA-202208-28",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:10.852401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:05:33.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "puma",
"vendor": "puma",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.6.2"
},
{
"status": "affected",
"version": "\u003c 4.3.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-12T19:06:38.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"name": "DSA-5146",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"name": "GLSA-202208-28",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
],
"source": {
"advisory": "GHSA-rmj8-8hhh-gv5h",
"discovery": "UNKNOWN"
},
"title": "Information Exposure when using Puma with Rails",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23634",
"STATE": "PUBLIC",
"TITLE": "Information Exposure when using Puma with Rails"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "puma",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.0.0, \u003c 5.6.2"
},
{
"version_value": "\u003c 4.3.11"
}
]
}
}
]
},
"vendor_name": "puma"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
"refsource": "CONFIRM",
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
"refsource": "MISC",
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
"refsource": "MISC",
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
"refsource": "MISC",
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
"refsource": "MISC",
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"name": "DSA-5146",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"name": "GLSA-202208-28",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
]
},
"source": {
"advisory": "GHSA-rmj8-8hhh-gv5h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23634",
"datePublished": "2022-02-11T21:40:11.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:05:33.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-23634",
"date": "2026-05-21",
"epss": "0.00479",
"percentile": "0.65264"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\", \"versionEndExcluding\": \"4.3.11\", \"matchCriteriaId\": \"F662913A-D835-400A-BE47-112269F1A880\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"5.6.2\", \"matchCriteriaId\": \"3221F00A-D4F8-43C2-90D0-98D38E5294B8\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"5.2.6.2\", \"matchCriteriaId\": \"799C8F9A-10DD-4840-AAB5-F444DDA46FE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.0.4.6\", \"matchCriteriaId\": \"CB7B860B-0F93-4C93-8C95-29D259A38C43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.1.0\", \"versionEndExcluding\": \"6.1.4.6\", \"matchCriteriaId\": \"A8FC3F82-3521-470B-910E-395895BAB248\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.2.2\", \"matchCriteriaId\": \"AC6C96FF-285D-4378-86FF-AFB70FC339A3\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \\\"puma\\\" \\\"5.6.2\\\", \\\"puma\\\" no siempre llamaba a \\\"close\\\" en el cuerpo de la respuesta. Rails, versiones anteriores a \\\"7.0.2.2\\\", depend\\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\\u00f3n de \\\"CurrentAttributes\\\" funcionara correctamente. La combinaci\\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\\u00f3n del ejecutor de Rails) causa un filtrado de informaci\\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\\u00f3n a una versi\\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad\"}]",
"id": "CVE-2022-23634",
"lastModified": "2024-11-21T06:48:58.950",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 8.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-02-11T22:15:07.817",
"references": "[{\"url\": \"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-wh98-p28r-vrc9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Not Applicable\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.gentoo.org/glsa/202208-28\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2022/dsa-5146\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-wh98-p28r-vrc9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Not Applicable\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202208-28\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2022/dsa-5146\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-404\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23634\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-02-11T22:15:07.817\",\"lastModified\":\"2024-11-21T06:48:58.950\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.\"},{\"lang\":\"es\",\"value\":\"Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \\\"puma\\\" \\\"5.6.2\\\", \\\"puma\\\" no siempre llamaba a \\\"close\\\" en el cuerpo de la respuesta. Rails, versiones anteriores a \\\"7.0.2.2\\\", depend\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\u00f3n de \\\"CurrentAttributes\\\" funcionara correctamente. La combinaci\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\u00f3n del ejecutor de Rails) causa un filtrado de informaci\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\u00f3n a una versi\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-404\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"4.3.11\",\"matchCriteriaId\":\"F662913A-D835-400A-BE47-112269F1A880\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.6.2\",\"matchCriteriaId\":\"3221F00A-D4F8-43C2-90D0-98D38E5294B8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.2.6.2\",\"matchCriteriaId\":\"799C8F9A-10DD-4840-AAB5-F444DDA46FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.0.4.6\",\"matchCriteriaId\":\"CB7B860B-0F93-4C93-8C95-29D259A38C43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"6.1.4.6\",\"matchCriteriaId\":\"A8FC3F82-3521-470B-910E-395895BAB248\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.2.2\",\"matchCriteriaId\":\"AC6C96FF-285D-4378-86FF-AFB70FC339A3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-wh98-p28r-vrc9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Not Applicable\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202208-28\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5146\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-wh98-p28r-vrc9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Not Applicable\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202208-28\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5146\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
BDU:2024-07773
Vulnerability from fstec - Published: 11.02.2022
VLAI Severity ?
Title
Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, позволяющая нарушителю получить доступ к конфиденциальной информации
Description
Уязвимость HTTP-сервера для Ruby/Rack приложений Puma связана с раскрытием конфиденциальной информации неавторизованному лицу. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить доступ к конфиденциальной информации
Severity ?
Vendor
Сообщество свободного программного обеспечения, Canonical Ltd., ООО «Ред Софт», АО "НППКТ", Rails Core Team
Software Name
Debian GNU/Linux, Ubuntu, РЕД ОС (запись в едином реестре российских программ №3751), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Puma, Ruby on Rails
Software Version
9 (Debian GNU/Linux), 10 (Debian GNU/Linux), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 22.04 LTS (Ubuntu), до 2.6 (ОСОН ОСнова Оnyx), до 4.3.11 (Puma), от 5.0.0 до 5.6.2 (Puma), от 5.0.0 до 5.2.6.2 (Ruby on Rails), от 6.0.0 до 6.0.4.6 (Ruby on Rails), от 6.1.0 до 6.1.4.6 (Ruby on Rails), от 7.0.0 до 7.0.2.2 (Ruby on Rails)
Possible Mitigations
Использование рекомендаций:
Для Puma:
https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
Для Ruby on Rails:
https://github.com/advisories/GHSA-wh98-p28r-vrc9
Для РедоС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-23634
Для Ubuntu:
https://ubuntu.com/security/CVE-2022-23634
Для ОСОН ОСнова Оnyx: Обновление программного обеспечения puma до версии 3.12.0-2+deb10u3
Reference
https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
https://github.com/advisories/GHSA-wh98-p28r-vrc9
https://redos.red-soft.ru/support/secure/
https://security-tracker.debian.org/tracker/CVE-2022-23634
https://ubuntu.com/security/CVE-2022-23634
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.6/
CWE
CWE-404
{
"CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:N",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Canonical Ltd., \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Rails Core Team",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 10 (Debian GNU/Linux), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 22.04 LTS (Ubuntu), \u0434\u043e 2.6 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 4.3.11 (Puma), \u043e\u0442 5.0.0 \u0434\u043e 5.6.2 (Puma), \u043e\u0442 5.0.0 \u0434\u043e 5.2.6.2 (Ruby on Rails), \u043e\u0442 6.0.0 \u0434\u043e 6.0.4.6 (Ruby on Rails), \u043e\u0442 6.1.0 \u0434\u043e 6.1.4.6 (Ruby on Rails), \u043e\u0442 7.0.0 \u0434\u043e 7.0.2.2 (Ruby on Rails)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Puma:\nhttps://github.com/advisories/GHSA-rmj8-8hhh-gv5h\n\n\u0414\u043b\u044f Ruby on Rails:\nhttps://github.com/advisories/GHSA-wh98-p28r-vrc9\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u043e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-23634\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/CVE-2022-23634\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx: \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f puma \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 3.12.0-2+deb10u3",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "11.02.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "06.11.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.10.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-07773",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-23634",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Ubuntu, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Puma, Ruby on Rails",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Canonical Ltd. Ubuntu 20.04 LTS , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Canonical Ltd. Ubuntu 22.04 LTS , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.6 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0434\u043b\u044f Ruby/Rack \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Puma, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u0430\u044f \u0437\u0430\u0447\u0438\u0441\u0442\u043a\u0430 \u0438\u043b\u0438 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 (CWE-404)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0434\u043b\u044f Ruby/Rack \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Puma \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u043b\u0438\u0446\u0443. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\nhttps://github.com/advisories/GHSA-wh98-p28r-vrc9\nhttps://redos.red-soft.ru/support/secure/\nhttps://security-tracker.debian.org/tracker/CVE-2022-23634\nhttps://ubuntu.com/security/CVE-2022-23634\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.6/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-404",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8)"
}
CNVD-2022-10705
Vulnerability from cnvd - Published: 2022-02-15
VLAI Severity ?
Title
Puma信息泄露漏洞
Description
Puma是美国Evan Phoenix个人开发者的一款针对高并发应用的Web服务器。
Puma存在信息泄露漏洞,该漏洞源于在puma版本5.6.2之前,puma可能并不总是在响应体上调用close,在版本7.0.2.2之前,Rails依赖于关闭响应体,以便其“CurrentAttributes”实现正确工作。这两种行为(Puma不关闭主体+ Rails的Executor实现)的结合会导致信息泄漏。 目前没有详细的漏洞细节提供。
Severity
高
Patch Name
Puma信息泄露漏洞的补丁
Patch Description
Puma是美国Evan Phoenix个人开发者的一款针对高并发应用的Web服务器。
Puma存在信息泄露漏洞,该漏洞源于在puma版本5.6.2之前,puma可能并不总是在响应体上调用close,在版本7.0.2.2之前,Rails依赖于关闭响应体,以便其“CurrentAttributes”实现正确工作。这两种行为(Puma不关闭主体+ Rails的Executor实现)的结合会导致信息泄漏。 目前没有详细的漏洞细节提供。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-23634
Impacted products
| Name | Puma Puma <5.6.2 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-23634"
}
},
"description": "Puma\u662f\u7f8e\u56fdEvan Phoenix\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u9488\u5bf9\u9ad8\u5e76\u53d1\u5e94\u7528\u7684Web\u670d\u52a1\u5668\u3002\n\nPuma\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728puma\u7248\u672c5.6.2\u4e4b\u524d\uff0cpuma\u53ef\u80fd\u5e76\u4e0d\u603b\u662f\u5728\u54cd\u5e94\u4f53\u4e0a\u8c03\u7528close\uff0c\u5728\u7248\u672c7.0.2.2\u4e4b\u524d\uff0cRails\u4f9d\u8d56\u4e8e\u5173\u95ed\u54cd\u5e94\u4f53\uff0c\u4ee5\u4fbf\u5176\u201cCurrentAttributes\u201d\u5b9e\u73b0\u6b63\u786e\u5de5\u4f5c\u3002\u8fd9\u4e24\u79cd\u884c\u4e3a(Puma\u4e0d\u5173\u95ed\u4e3b\u4f53+ Rails\u7684Executor\u5b9e\u73b0)\u7684\u7ed3\u5408\u4f1a\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-10705",
"openTime": "2022-02-15",
"patchDescription": "Puma\u662f\u7f8e\u56fdEvan Phoenix\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u9488\u5bf9\u9ad8\u5e76\u53d1\u5e94\u7528\u7684Web\u670d\u52a1\u5668\u3002\r\n\r\nPuma\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728puma\u7248\u672c5.6.2\u4e4b\u524d\uff0cpuma\u53ef\u80fd\u5e76\u4e0d\u603b\u662f\u5728\u54cd\u5e94\u4f53\u4e0a\u8c03\u7528close\uff0c\u5728\u7248\u672c7.0.2.2\u4e4b\u524d\uff0cRails\u4f9d\u8d56\u4e8e\u5173\u95ed\u54cd\u5e94\u4f53\uff0c\u4ee5\u4fbf\u5176\u201cCurrentAttributes\u201d\u5b9e\u73b0\u6b63\u786e\u5de5\u4f5c\u3002\u8fd9\u4e24\u79cd\u884c\u4e3a(Puma\u4e0d\u5173\u95ed\u4e3b\u4f53+ Rails\u7684Executor\u5b9e\u73b0)\u7684\u7ed3\u5408\u4f1a\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Puma\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Puma Puma \u003c5.6.2"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
"serverity": "\u9ad8",
"submitTime": "2022-02-15",
"title": "Puma\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}
FKIE_CVE-2022-23634
Vulnerability from fkie_nvd - Published: 2022-02-11 22:15 - Updated: 2024-11-21 06:48
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| puma | puma | * | |
| puma | puma | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 | |
| fedoraproject | fedora | 37 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "F662913A-D835-400A-BE47-112269F1A880",
"versionEndExcluding": "4.3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "3221F00A-D4F8-43C2-90D0-98D38E5294B8",
"versionEndExcluding": "5.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
"versionEndExcluding": "5.2.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
"versionEndExcluding": "6.0.4.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
"versionEndExcluding": "6.1.4.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
"versionEndExcluding": "7.0.2.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
},
{
"lang": "es",
"value": "Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \"puma\" \"5.6.2\", \"puma\" no siempre llamaba a \"close\" en el cuerpo de la respuesta. Rails, versiones anteriores a \"7.0.2.2\", depend\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\u00f3n de \"CurrentAttributes\" funcionara correctamente. La combinaci\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\u00f3n del ejecutor de Rails) causa un filtrado de informaci\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\u00f3n a una versi\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad"
}
],
"id": "CVE-2022-23634",
"lastModified": "2024-11-21T06:48:58.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-11T22:15:07.817",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Not Applicable",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Not Applicable",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-RMJ8-8HHH-GV5H
Vulnerability from github – Published: 2022-02-11 21:33 – Updated: 2022-08-16 19:43
VLAI?
Summary
Puma used with Rails may lead to Information Exposure
Details
Impact
Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly.
From Rails:
Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.
Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Workarounds
Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE includes a middleware that can be used instead.
References
- Rails CVE: CVE-2022-23633
For more information
If you have any questions or comments about this advisory: * Open an issue in puma * See our security policy
Severity ?
8.0 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23634"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-404"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-11T21:33:23Z",
"nvd_published_at": "2022-02-11T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nPrior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly.\n\nFrom Rails:\n\n\u003e Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage.\n\n### Patches\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: \nhttps://github.com/advisories/GHSA-wh98-p28r-vrc9 \nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1) includes a middleware that can be used instead.\n\n### References\n\n* Rails CVE: [CVE-2022-23633](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [puma](https://github.com/puma/puma)\n* See our [security policy](https://github.com/puma/puma/security/policy)",
"id": "GHSA-rmj8-8hhh-gv5h",
"modified": "2022-08-16T19:43:34Z",
"published": "2022-02-11T21:33:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5146"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Puma used with Rails may lead to Information Exposure"
}
GSD-2022-23634
Vulnerability from gsd - Updated: 2022-02-11 00:00Details
### Impact
Prior to `puma` version `5.6.2`, `puma` may not always call
`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the
response body being closed in order for its `CurrentAttributes` implementation to
work correctly.
From Rails:
> Under certain circumstances response bodies will not be closed, for example
> a bug in a webserver[1] or a bug in a Rack middleware. In the event a
> response is not notified of a close, ActionDispatch::Executor will not know
> to reset thread local state for the next request. This can lead to data
> being leaked to subsequent requests, especially when interacting with
> ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails'
Executor implementation) causes information leakage.
### Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9
for details about the rails vulnerability
Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
### Workarounds
Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1)
includes a middleware that can be used instead.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-23634",
"description": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"id": "GSD-2022-23634",
"references": [
"https://www.suse.com/security/cve/CVE-2022-23634.html",
"https://security.archlinux.org/CVE-2022-23634",
"https://www.debian.org/security/2022/dsa-5146",
"https://access.redhat.com/errata/RHSA-2022:5498"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma",
"purl": "pkg:gem/puma"
}
}
],
"aliases": [
"CVE-2022-23634",
"GHSA-rmj8-8hhh-gv5h"
],
"details": "### Impact\n\nPrior to `puma` version `5.6.2`, `puma` may not always call\n`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the\nresponse body being closed in order for its `CurrentAttributes` implementation to\nwork correctly.\n\nFrom Rails:\n\n\u003e Under certain circumstances response bodies will not be closed, for example\n\u003e a bug in a webserver[1] or a bug in a Rack middleware. In the event a\n\u003e response is not notified of a close, ActionDispatch::Executor will not know\n\u003e to reset thread local state for the next request. This can lead to data\n\u003e being leaked to subsequent requests, especially when interacting with\n\u003e ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails\u0027\nExecutor implementation) causes information leakage.\n\n### Patches\n\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: https://github.com/advisories/GHSA-wh98-p28r-vrc9\nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1)\nincludes a middleware that can be used instead.\n",
"id": "GSD-2022-23634",
"modified": "2022-02-11T00:00:00.000Z",
"published": "2022-02-11T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
}
],
"related": [
"CVE-2022-23633",
"GHSA-wh98-p28r-vrc9"
],
"schema_version": "1.4.0",
"severity": [
{
"score": 8.0,
"type": "CVSS_V3"
}
],
"summary": "Information Exposure with Puma when used with Rails"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23634",
"STATE": "PUBLIC",
"TITLE": "Information Exposure when using Puma with Rails"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "puma",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.0.0, \u003c 5.6.2"
},
{
"version_value": "\u003c 4.3.11"
}
]
}
}
]
},
"vendor_name": "puma"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
"refsource": "CONFIRM",
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
"refsource": "MISC",
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
"refsource": "MISC",
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
"refsource": "MISC",
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
"refsource": "MISC",
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"name": "DSA-5146",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"name": "GLSA-202208-28",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
]
},
"source": {
"advisory": "GHSA-rmj8-8hhh-gv5h",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2022-23634",
"cvss_v3": 8.0,
"date": "2022-02-11",
"description": "### Impact\n\nPrior to `puma` version `5.6.2`, `puma` may not always call\n`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the\nresponse body being closed in order for its `CurrentAttributes` implementation to\nwork correctly.\n\nFrom Rails:\n\n\u003e Under certain circumstances response bodies will not be closed, for example\n\u003e a bug in a webserver[1] or a bug in a Rack middleware. In the event a\n\u003e response is not notified of a close, ActionDispatch::Executor will not know\n\u003e to reset thread local state for the next request. This can lead to data\n\u003e being leaked to subsequent requests, especially when interacting with\n\u003e ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails\u0027\nExecutor implementation) causes information leakage.\n\n### Patches\n\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: https://github.com/advisories/GHSA-wh98-p28r-vrc9\nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1)\nincludes a middleware that can be used instead.\n",
"gem": "puma",
"ghsa": "rmj8-8hhh-gv5h",
"patched_versions": [
"~\u003e 4.3.11",
"\u003e= 5.6.2"
],
"related": {
"cve": [
"2022-23633"
],
"ghsa": [
"wh98-p28r-vrc9"
],
"url": [
"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
]
},
"title": "Information Exposure with Puma when used with Rails",
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.3.11||\u003e=5.0.0 \u003c5.6.2",
"affected_versions": "All versions before 4.3.11, all versions starting from 5.0.0 before 5.6.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-404",
"CWE-937"
],
"date": "2023-07-13",
"description": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"fixed_versions": [],
"identifier": "CVE-2022-23634",
"identifiers": [
"CVE-2022-23634",
"GHSA-rmj8-8hhh-gv5h",
"GHSA-wh98-p28r-vrc9"
],
"not_impacted": "",
"package_slug": "gem/gitlab-puma",
"pubdate": "2022-02-11",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Information Exposure when using Puma with Rails",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
"https://github.com/advisories/GHSA-wh98-p28r-vrc9",
"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
],
"uuid": "5d6e201c-6e97-42e7-9fe7-dae7e03478db"
},
{
"affected_range": "\u003c4.3.11||\u003e=5.0.0 \u003c5.6.2",
"affected_versions": "All versions before 4.3.11, all versions starting from 5.0.0 before 5.6.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-404",
"CWE-937"
],
"date": "2023-07-13",
"description": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"fixed_versions": [
"4.3.11",
"5.6.2"
],
"identifier": "CVE-2022-23634",
"identifiers": [
"CVE-2022-23634",
"GHSA-rmj8-8hhh-gv5h",
"GHSA-wh98-p28r-vrc9"
],
"not_impacted": "All versions starting from 4.3.11 before 5.0.0, all versions starting from 5.6.2",
"package_slug": "gem/puma",
"pubdate": "2022-02-11",
"solution": "Upgrade to versions 4.3.11, 5.6.2 or above.",
"title": "Information Exposure when using Puma with Rails",
"urls": [
"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
"https://github.com/advisories/GHSA-wh98-p28r-vrc9"
],
"uuid": "08779c8c-d71f-4221-aa91-aaa1e98674be"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "5.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "4.3.11",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.0.2.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.1.4.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.4.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23634"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
},
{
"name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
"refsource": "MISC",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
},
{
"name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
},
{
"name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
"refsource": "MISC",
"tags": [
"Mitigation",
"Not Applicable",
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
},
{
"name": "DSA-5146",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"name": "GLSA-202208-28",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-07-13T16:31Z",
"publishedDate": "2022-02-11T22:15Z"
}
}
}
OPENSUSE-SU-2024:11847-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-puma-5.6.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.1-rubygem-puma-5.6.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-puma-5.6.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11847
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-puma-5.6.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-puma-5.6.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11847",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11847-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16770 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16770/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11076 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11076/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23634 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23634/"
}
],
"title": "ruby3.1-rubygem-puma-5.6.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11847-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
"product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16770",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16770"
}
],
"notes": [
{
"category": "general",
"text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16770",
"url": "https://www.suse.com/security/cve/CVE-2019-16770"
},
{
"category": "external",
"summary": "SUSE Bug 1158675 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1158675"
},
{
"category": "external",
"summary": "SUSE Bug 1188527 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1188527"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-16770"
},
{
"cve": "CVE-2020-11076",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11076"
}
],
"notes": [
{
"category": "general",
"text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11076",
"url": "https://www.suse.com/security/cve/CVE-2020-11076"
},
{
"category": "external",
"summary": "SUSE Bug 1172175 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172175"
},
{
"category": "external",
"summary": "SUSE Bug 1172176 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172176"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11076"
},
{
"cve": "CVE-2022-23634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23634"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23634",
"url": "https://www.suse.com/security/cve/CVE-2022-23634"
},
{
"category": "external",
"summary": "SUSE Bug 1196222 for CVE-2022-23634",
"url": "https://bugzilla.suse.com/1196222"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23634"
}
]
}
OPENSUSE-SU-2024:12900-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.2-rubygem-puma-6.0.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.2-rubygem-puma-6.0.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12900
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.2-rubygem-puma-6.0.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12900",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12900-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16770 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16770/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11076 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11076/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23634 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23634/"
}
],
"title": "ruby3.2-rubygem-puma-6.0.0-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12900-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"product": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"product": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"product": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
"product": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
"product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64"
},
"product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le"
},
"product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x"
},
"product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
},
"product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16770",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16770"
}
],
"notes": [
{
"category": "general",
"text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16770",
"url": "https://www.suse.com/security/cve/CVE-2019-16770"
},
{
"category": "external",
"summary": "SUSE Bug 1158675 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1158675"
},
{
"category": "external",
"summary": "SUSE Bug 1188527 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1188527"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-16770"
},
{
"cve": "CVE-2020-11076",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11076"
}
],
"notes": [
{
"category": "general",
"text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11076",
"url": "https://www.suse.com/security/cve/CVE-2020-11076"
},
{
"category": "external",
"summary": "SUSE Bug 1172175 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172175"
},
{
"category": "external",
"summary": "SUSE Bug 1172176 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172176"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11076"
},
{
"cve": "CVE-2022-23634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23634"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23634",
"url": "https://www.suse.com/security/cve/CVE-2022-23634"
},
{
"category": "external",
"summary": "SUSE Bug 1196222 for CVE-2022-23634",
"url": "https://bugzilla.suse.com/1196222"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23634"
}
]
}
OPENSUSE-SU-2024:13720-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.3-rubygem-puma-6.4.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.3-rubygem-puma-6.4.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13720
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-puma-6.4.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13720",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13720-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16770 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16770/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11076 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11076/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23634 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23634/"
}
],
"title": "ruby3.3-rubygem-puma-6.4.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13720-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
"product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16770",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16770"
}
],
"notes": [
{
"category": "general",
"text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16770",
"url": "https://www.suse.com/security/cve/CVE-2019-16770"
},
{
"category": "external",
"summary": "SUSE Bug 1158675 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1158675"
},
{
"category": "external",
"summary": "SUSE Bug 1188527 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1188527"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-16770"
},
{
"cve": "CVE-2020-11076",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11076"
}
],
"notes": [
{
"category": "general",
"text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11076",
"url": "https://www.suse.com/security/cve/CVE-2020-11076"
},
{
"category": "external",
"summary": "SUSE Bug 1172175 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172175"
},
{
"category": "external",
"summary": "SUSE Bug 1172176 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172176"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11076"
},
{
"cve": "CVE-2022-23634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23634"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23634",
"url": "https://www.suse.com/security/cve/CVE-2022-23634"
},
{
"category": "external",
"summary": "SUSE Bug 1196222 for CVE-2022-23634",
"url": "https://bugzilla.suse.com/1196222"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23634"
}
]
}
OPENSUSE-SU-2025:15123-1
Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00Summary
ruby3.4-rubygem-puma-6.4.3-1.3 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.4-rubygem-puma-6.4.3-1.3 on GA media
Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15123
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
18 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15123",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15123-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:15123-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:15123-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16770 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16770/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11076 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11076/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23634 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23634/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
"tracking": {
"current_release_date": "2025-05-17T00:00:00Z",
"generator": {
"date": "2025-05-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15123-1",
"initial_release_date": "2025-05-17T00:00:00Z",
"revision_history": [
{
"date": "2025-05-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16770",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16770"
}
],
"notes": [
{
"category": "general",
"text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16770",
"url": "https://www.suse.com/security/cve/CVE-2019-16770"
},
{
"category": "external",
"summary": "SUSE Bug 1158675 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1158675"
},
{
"category": "external",
"summary": "SUSE Bug 1188527 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1188527"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-16770"
},
{
"cve": "CVE-2020-11076",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11076"
}
],
"notes": [
{
"category": "general",
"text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11076",
"url": "https://www.suse.com/security/cve/CVE-2020-11076"
},
{
"category": "external",
"summary": "SUSE Bug 1172175 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172175"
},
{
"category": "external",
"summary": "SUSE Bug 1172176 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172176"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11076"
},
{
"cve": "CVE-2022-23634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23634"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23634",
"url": "https://www.suse.com/security/cve/CVE-2022-23634"
},
{
"category": "external",
"summary": "SUSE Bug 1196222 for CVE-2022-23634",
"url": "https://bugzilla.suse.com/1196222"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23634"
},
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
OPENSUSE-SU-2026:10357-1
Vulnerability from csaf_opensuse - Published: 2026-03-13 00:00 - Updated: 2026-03-13 00:00Summary
ruby4.0-rubygem-puma-6.4.3-1.5 on GA media
Severity
Moderate
Notes
Title of the patch: ruby4.0-rubygem-puma-6.4.3-1.5 on GA media
Description of the patch: These are all security issues fixed in the ruby4.0-rubygem-puma-6.4.3-1.5 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10357
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby4.0-rubygem-puma-6.4.3-1.5 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby4.0-rubygem-puma-6.4.3-1.5 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10357",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10357-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16770 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16770/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11076 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11076/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23634 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23634/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "ruby4.0-rubygem-puma-6.4.3-1.5 on GA media",
"tracking": {
"current_release_date": "2026-03-13T00:00:00Z",
"generator": {
"date": "2026-03-13T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10357-1",
"initial_release_date": "2026-03-13T00:00:00Z",
"revision_history": [
{
"date": "2026-03-13T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"product": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"product": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"product": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
"product": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
"product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64"
},
"product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le"
},
"product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x"
},
"product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
},
"product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16770",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16770"
}
],
"notes": [
{
"category": "general",
"text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16770",
"url": "https://www.suse.com/security/cve/CVE-2019-16770"
},
{
"category": "external",
"summary": "SUSE Bug 1158675 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1158675"
},
{
"category": "external",
"summary": "SUSE Bug 1188527 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1188527"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-16770"
},
{
"cve": "CVE-2020-11076",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11076"
}
],
"notes": [
{
"category": "general",
"text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11076",
"url": "https://www.suse.com/security/cve/CVE-2020-11076"
},
{
"category": "external",
"summary": "SUSE Bug 1172175 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172175"
},
{
"category": "external",
"summary": "SUSE Bug 1172176 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172176"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11076"
},
{
"cve": "CVE-2022-23634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23634"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23634",
"url": "https://www.suse.com/security/cve/CVE-2022-23634"
},
{
"category": "external",
"summary": "SUSE Bug 1196222 for CVE-2022-23634",
"url": "https://bugzilla.suse.com/1196222"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23634"
},
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…