Vulnerability-Lookup

CVE-2022-23634 (GCVE-0-2022-23634)

Vulnerability from cvelistv5 – Published: 2022-02-11 21:40 – Updated: 2025-04-23 19:05

Title

Information Exposure when using Puma with Rails

Summary

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Severity

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

12 references

URL	Tags
https://github.com/puma/puma/security/advisories/…	x_refsource_CONFIRM
https://github.com/puma/puma/commit/b70f451fe8abc…	x_refsource_MISC
https://github.com/advisories/GHSA-rmj8-8hhh-gv5h	x_refsource_MISC
https://github.com/advisories/GHSA-wh98-p28r-vrc9	x_refsource_MISC
https://groups.google.com/g/ruby-security-ann/c/F…	x_refsource_MISC
https://www.debian.org/security/2022/dsa-5146	vendor-advisoryx_refsource_DEBIAN
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://security.gentoo.org/glsa/202208-28	vendor-advisoryx_refsource_GENTOO
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

1 product

Vendor	Product	Version
puma	puma	Affected: >= 5.0.0, < 5.6.2 Affected: < 4.3.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:45.584Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
          },
          {
            "name": "DSA-5146",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5146"
          },
          {
            "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
          },
          {
            "name": "GLSA-202208-28",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-28"
          },
          {
            "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
          },
          {
            "name": "FEDORA-2022-de968d1b6c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
          },
          {
            "name": "FEDORA-2022-52d0032596",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
          },
          {
            "name": "FEDORA-2022-7c8b29195f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:56:10.852401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:05:33.266Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "puma",
          "vendor": "puma",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.6.2"
            },
            {
              "status": "affected",
              "version": "\u003c 4.3.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-12T19:06:38.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
        },
        {
          "name": "DSA-5146",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5146"
        },
        {
          "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
        },
        {
          "name": "GLSA-202208-28",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-28"
        },
        {
          "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
        },
        {
          "name": "FEDORA-2022-de968d1b6c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
        },
        {
          "name": "FEDORA-2022-52d0032596",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
        },
        {
          "name": "FEDORA-2022-7c8b29195f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
        }
      ],
      "source": {
        "advisory": "GHSA-rmj8-8hhh-gv5h",
        "discovery": "UNKNOWN"
      },
      "title": "Information Exposure when using Puma with Rails",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23634",
          "STATE": "PUBLIC",
          "TITLE": "Information Exposure when using Puma with Rails"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "puma",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.6.2"
                          },
                          {
                            "version_value": "\u003c 4.3.11"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "puma"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
              "refsource": "CONFIRM",
              "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
            },
            {
              "name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
              "refsource": "MISC",
              "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
            },
            {
              "name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
              "refsource": "MISC",
              "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
            },
            {
              "name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
              "refsource": "MISC",
              "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
            },
            {
              "name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
            },
            {
              "name": "DSA-5146",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5146"
            },
            {
              "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
            },
            {
              "name": "GLSA-202208-28",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-28"
            },
            {
              "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
            },
            {
              "name": "FEDORA-2022-de968d1b6c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
            },
            {
              "name": "FEDORA-2022-52d0032596",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
            },
            {
              "name": "FEDORA-2022-7c8b29195f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-rmj8-8hhh-gv5h",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23634",
    "datePublished": "2022-02-11T21:40:11.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:05:33.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-23634",
      "date": "2026-06-08",
      "epss": "0.00479",
      "percentile": "0.65442"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\", \"versionEndExcluding\": \"4.3.11\", \"matchCriteriaId\": \"F662913A-D835-400A-BE47-112269F1A880\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"5.6.2\", \"matchCriteriaId\": \"3221F00A-D4F8-43C2-90D0-98D38E5294B8\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"5.2.6.2\", \"matchCriteriaId\": \"799C8F9A-10DD-4840-AAB5-F444DDA46FE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.0.4.6\", \"matchCriteriaId\": \"CB7B860B-0F93-4C93-8C95-29D259A38C43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.1.0\", \"versionEndExcluding\": \"6.1.4.6\", \"matchCriteriaId\": \"A8FC3F82-3521-470B-910E-395895BAB248\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.2.2\", \"matchCriteriaId\": \"AC6C96FF-285D-4378-86FF-AFB70FC339A3\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \\\"puma\\\" \\\"5.6.2\\\", \\\"puma\\\" no siempre llamaba a \\\"close\\\" en el cuerpo de la respuesta. Rails, versiones anteriores a \\\"7.0.2.2\\\", depend\\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\\u00f3n de \\\"CurrentAttributes\\\" funcionara correctamente. La combinaci\\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\\u00f3n del ejecutor de Rails) causa un filtrado de informaci\\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\\u00f3n a una versi\\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad\"}]",
      "id": "CVE-2022-23634",
      "lastModified": "2024-11-21T06:48:58.950",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 8.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-02-11T22:15:07.817",
      "references": "[{\"url\": \"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-wh98-p28r-vrc9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Not Applicable\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.gentoo.org/glsa/202208-28\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2022/dsa-5146\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/advisories/GHSA-wh98-p28r-vrc9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Not Applicable\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202208-28\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2022/dsa-5146\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-404\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-23634\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-02-11T22:15:07.817\",\"lastModified\":\"2024-11-21T06:48:58.950\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.\"},{\"lang\":\"es\",\"value\":\"Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \\\"puma\\\" \\\"5.6.2\\\", \\\"puma\\\" no siempre llamaba a \\\"close\\\" en el cuerpo de la respuesta. Rails, versiones anteriores a \\\"7.0.2.2\\\", depend\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\u00f3n de \\\"CurrentAttributes\\\" funcionara correctamente. La combinaci\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\u00f3n del ejecutor de Rails) causa un filtrado de informaci\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\u00f3n a una versi\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-404\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"4.3.11\",\"matchCriteriaId\":\"F662913A-D835-400A-BE47-112269F1A880\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.6.2\",\"matchCriteriaId\":\"3221F00A-D4F8-43C2-90D0-98D38E5294B8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.2.6.2\",\"matchCriteriaId\":\"799C8F9A-10DD-4840-AAB5-F444DDA46FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.0.4.6\",\"matchCriteriaId\":\"CB7B860B-0F93-4C93-8C95-29D259A38C43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"6.1.4.6\",\"matchCriteriaId\":\"A8FC3F82-3521-470B-910E-395895BAB248\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.2.2\",\"matchCriteriaId\":\"AC6C96FF-285D-4378-86FF-AFB70FC339A3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-wh98-p28r-vrc9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Not Applicable\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202208-28\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5146\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-wh98-p28r-vrc9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Not Applicable\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202208-28\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5146\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

BDU:2024-07773

Vulnerability from fstec - Published: 11.02.2022

Title

Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, позволяющая нарушителю получить доступ к конфиденциальной информации

Description

Уязвимость HTTP-сервера для Ruby/Rack приложений Puma связана с раскрытием конфиденциальной информации неавторизованному лицу. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить доступ к конфиденциальной информации

Severity


                    
                      AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Vendor

Сообщество свободного программного обеспечения, Canonical Ltd., ООО «Ред Софт», АО "НППКТ", Rails Core Team

Software Name

Debian GNU/Linux, Ubuntu, РЕД ОС (запись в едином реестре российских программ №3751), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Puma, Ruby on Rails

Software Version

9 (Debian GNU/Linux), 10 (Debian GNU/Linux), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 22.04 LTS (Ubuntu), до 2.6 (ОСОН ОСнова Оnyx), до 4.3.11 (Puma), от 5.0.0 до 5.6.2 (Puma), от 5.0.0 до 5.2.6.2 (Ruby on Rails), от 6.0.0 до 6.0.4.6 (Ruby on Rails), от 6.1.0 до 6.1.4.6 (Ruby on Rails), от 7.0.0 до 7.0.2.2 (Ruby on Rails)

Possible Mitigations

Использование рекомендаций: Для Puma: https://github.com/advisories/GHSA-rmj8-8hhh-gv5h Для Ruby on Rails: https://github.com/advisories/GHSA-wh98-p28r-vrc9 Для РедоС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2022-23634 Для Ubuntu: https://ubuntu.com/security/CVE-2022-23634 Для ОСОН ОСнова Оnyx: Обновление программного обеспечения puma до версии 3.12.0-2+deb10u3

Reference

https://github.com/advisories/GHSA-rmj8-8hhh-gv5h https://github.com/advisories/GHSA-wh98-p28r-vrc9 https://redos.red-soft.ru/support/secure/ https://security-tracker.debian.org/tracker/CVE-2022-23634 https://ubuntu.com/security/CVE-2022-23634 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.6/

CWE

CWE-404

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:N",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Canonical Ltd., \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Rails Core Team",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 10 (Debian GNU/Linux), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 22.04 LTS (Ubuntu), \u0434\u043e 2.6 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 4.3.11 (Puma), \u043e\u0442 5.0.0 \u0434\u043e 5.6.2 (Puma), \u043e\u0442 5.0.0 \u0434\u043e 5.2.6.2 (Ruby on Rails), \u043e\u0442 6.0.0 \u0434\u043e 6.0.4.6 (Ruby on Rails), \u043e\u0442 6.1.0 \u0434\u043e 6.1.4.6 (Ruby on Rails), \u043e\u0442 7.0.0 \u0434\u043e 7.0.2.2 (Ruby on Rails)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Puma:\nhttps://github.com/advisories/GHSA-rmj8-8hhh-gv5h\n\n\u0414\u043b\u044f Ruby on Rails:\nhttps://github.com/advisories/GHSA-wh98-p28r-vrc9\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u043e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-23634\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/CVE-2022-23634\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx: \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f puma \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 3.12.0-2+deb10u3",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "11.02.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "06.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.10.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-07773",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-23634",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Ubuntu, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Puma, Ruby on Rails",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Canonical Ltd. Ubuntu 20.04 LTS , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Canonical Ltd. Ubuntu 22.04 LTS , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.6  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0434\u043b\u044f Ruby/Rack \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Puma, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u0430\u044f \u0437\u0430\u0447\u0438\u0441\u0442\u043a\u0430 \u0438\u043b\u0438 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 (CWE-404)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0434\u043b\u044f Ruby/Rack \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Puma \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u043b\u0438\u0446\u0443. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h\nhttps://github.com/advisories/GHSA-wh98-p28r-vrc9\nhttps://redos.red-soft.ru/support/secure/\nhttps://security-tracker.debian.org/tracker/CVE-2022-23634\nhttps://ubuntu.com/security/CVE-2022-23634\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.6/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-404",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8)"
}

CNVD-2022-10705

Vulnerability from cnvd - Published: 2022-02-15

Title

Puma信息泄露漏洞

Description

Puma是美国Evan Phoenix个人开发者的一款针对高并发应用的Web服务器。 Puma存在信息泄露漏洞，该漏洞源于在puma版本5.6.2之前，puma可能并不总是在响应体上调用close，在版本7.0.2.2之前，Rails依赖于关闭响应体，以便其“CurrentAttributes”实现正确工作。这两种行为(Puma不关闭主体+ Rails的Executor实现)的结合会导致信息泄漏。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Puma信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-23634

Impacted products

Name
Puma Puma <5.6.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23634"
    }
  },
  "description": "Puma\u662f\u7f8e\u56fdEvan Phoenix\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u9488\u5bf9\u9ad8\u5e76\u53d1\u5e94\u7528\u7684Web\u670d\u52a1\u5668\u3002\n\nPuma\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728puma\u7248\u672c5.6.2\u4e4b\u524d\uff0cpuma\u53ef\u80fd\u5e76\u4e0d\u603b\u662f\u5728\u54cd\u5e94\u4f53\u4e0a\u8c03\u7528close\uff0c\u5728\u7248\u672c7.0.2.2\u4e4b\u524d\uff0cRails\u4f9d\u8d56\u4e8e\u5173\u95ed\u54cd\u5e94\u4f53\uff0c\u4ee5\u4fbf\u5176\u201cCurrentAttributes\u201d\u5b9e\u73b0\u6b63\u786e\u5de5\u4f5c\u3002\u8fd9\u4e24\u79cd\u884c\u4e3a(Puma\u4e0d\u5173\u95ed\u4e3b\u4f53+ Rails\u7684Executor\u5b9e\u73b0)\u7684\u7ed3\u5408\u4f1a\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-10705",
  "openTime": "2022-02-15",
  "patchDescription": "Puma\u662f\u7f8e\u56fdEvan Phoenix\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u9488\u5bf9\u9ad8\u5e76\u53d1\u5e94\u7528\u7684Web\u670d\u52a1\u5668\u3002\r\n\r\nPuma\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728puma\u7248\u672c5.6.2\u4e4b\u524d\uff0cpuma\u53ef\u80fd\u5e76\u4e0d\u603b\u662f\u5728\u54cd\u5e94\u4f53\u4e0a\u8c03\u7528close\uff0c\u5728\u7248\u672c7.0.2.2\u4e4b\u524d\uff0cRails\u4f9d\u8d56\u4e8e\u5173\u95ed\u54cd\u5e94\u4f53\uff0c\u4ee5\u4fbf\u5176\u201cCurrentAttributes\u201d\u5b9e\u73b0\u6b63\u786e\u5de5\u4f5c\u3002\u8fd9\u4e24\u79cd\u884c\u4e3a(Puma\u4e0d\u5173\u95ed\u4e3b\u4f53+ Rails\u7684Executor\u5b9e\u73b0)\u7684\u7ed3\u5408\u4f1a\u5bfc\u81f4\u4fe1\u606f\u6cc4\u6f0f\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Puma\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Puma Puma \u003c5.6.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
  "serverity": "\u9ad8",
  "submitTime": "2022-02-15",
  "title": "Puma\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

FKIE_CVE-2022-23634

Vulnerability from fkie_nvd - Published: 2022-02-11 22:15 - Updated: 2024-11-21 06:48

Severity

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/advisories/GHSA-rmj8-8hhh-gv5h	Third Party Advisory
security-advisories@github.com	https://github.com/advisories/GHSA-wh98-p28r-vrc9	Mitigation, Not Applicable, Third Party Advisory
security-advisories@github.com	https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h	Patch, Third Party Advisory
security-advisories@github.com	https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1	Mailing List, Mitigation, Patch, Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
security-advisories@github.com	https://security.gentoo.org/glsa/202208-28	Third Party Advisory
security-advisories@github.com	https://www.debian.org/security/2022/dsa-5146	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-rmj8-8hhh-gv5h	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-wh98-p28r-vrc9	Mitigation, Not Applicable, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1	Mailing List, Mitigation, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202208-28	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2022/dsa-5146	Third Party Advisory

Impacted products

Vendor	Product	Version
puma	puma	*
puma	puma	*
rubyonrails	rails	*
rubyonrails	rails	*
rubyonrails	rails	*
rubyonrails	rails	*
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0
fedoraproject	fedora	35
fedoraproject	fedora	36
fedoraproject	fedora	37

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "F662913A-D835-400A-BE47-112269F1A880",
              "versionEndExcluding": "4.3.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "3221F00A-D4F8-43C2-90D0-98D38E5294B8",
              "versionEndExcluding": "5.6.2",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
              "versionEndExcluding": "5.2.6.2",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
              "versionEndExcluding": "6.0.4.6",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
              "versionEndExcluding": "6.1.4.6",
              "versionStartIncluding": "6.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
              "versionEndExcluding": "7.0.2.2",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
              "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
    },
    {
      "lang": "es",
      "value": "Puma es un servidor web Ruby/Rack construido para el paralelismo. versiones anteriores a \"puma\" \"5.6.2\", \"puma\" no siempre llamaba a \"close\" en el cuerpo de la respuesta. Rails, versiones anteriores a \"7.0.2.2\", depend\u00eda de que el cuerpo de la respuesta estuviera cerrado para que su implementaci\u00f3n de \"CurrentAttributes\" funcionara correctamente. La combinaci\u00f3n de estos dos comportamientos (que Puma no cierre el cuerpo + la implementaci\u00f3n del ejecutor de Rails) causa un filtrado de informaci\u00f3n. Este problema ha sido solucionado en Puma versiones 5.6.2 y 4.3.11. Este problema se ha solucionado en las versiones de Rails versiones 7.02.2, 6.1.4.6, 6.0.4.6 y 5.2.6.2. La actualizaci\u00f3n a una versi\u00f3n parcheada de Rails _o_ de Puma corrige esta vulnerabilidad"
    }
  ],
  "id": "CVE-2022-23634",
  "lastModified": "2024-11-21T06:48:58.950",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-02-11T22:15:07.817",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Not Applicable",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202208-28"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5146"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Not Applicable",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202208-28"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5146"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-404"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-RMJ8-8HHH-GV5H

Vulnerability from github – Published: 2022-02-11 21:33 – Updated: 2022-08-16 19:43

Summary

Puma used with Rails may lead to Information Exposure

Details

Impact

Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE includes a middleware that can be used instead.

References

Rails CVE: CVE-2022-23633

For more information

If you have any questions or comments about this advisory: * Open an issue in puma * See our security policy

Severity

8.0 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-404"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-11T21:33:23Z",
    "nvd_published_at": "2022-02-11T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPrior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly.\n\nFrom Rails:\n\n\u003e Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage.\n\n### Patches\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: \nhttps://github.com/advisories/GHSA-wh98-p28r-vrc9 \nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1) includes a middleware that can be used instead.\n\n### References\n\n* Rails CVE: [CVE-2022-23633](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [puma](https://github.com/puma/puma)\n* See our [security policy](https://github.com/puma/puma/security/policy)",
  "id": "GHSA-rmj8-8hhh-gv5h",
  "modified": "2022-08-16T19:43:34Z",
  "published": "2022-02-11T21:33:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puma/puma"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-28"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5146"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Puma used with Rails may lead to Information Exposure"
}

GSD-2022-23634

Vulnerability from gsd - Updated: 2022-02-11 00:00

Details

### Impact Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. From Rails: > Under certain circumstances response bodies will not be closed, for example > a bug in a webserver[1] or a bug in a Rack middleware. In the event a > response is not notified of a close, ActionDispatch::Executor will not know > to reset thread local state for the next request. This can lead to data > being leaked to subsequent requests, especially when interacting with > ActiveSupport::CurrentAttributes. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. ### Patches This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. ### Workarounds Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. The [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1) includes a middleware that can be used instead.

Aliases

CVE-2022-23634

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23634",
    "description": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
    "id": "GSD-2022-23634",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-23634.html",
      "https://security.archlinux.org/CVE-2022-23634",
      "https://www.debian.org/security/2022/dsa-5146",
      "https://access.redhat.com/errata/RHSA-2022:5498"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "puma",
            "purl": "pkg:gem/puma"
          }
        }
      ],
      "aliases": [
        "CVE-2022-23634",
        "GHSA-rmj8-8hhh-gv5h"
      ],
      "details": "### Impact\n\nPrior to `puma` version `5.6.2`, `puma` may not always call\n`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the\nresponse body being closed in order for its `CurrentAttributes` implementation to\nwork correctly.\n\nFrom Rails:\n\n\u003e Under certain circumstances response bodies will not be closed, for example\n\u003e a bug in a webserver[1] or a bug in a Rack middleware. In the event a\n\u003e response is not notified of a close, ActionDispatch::Executor will not know\n\u003e to reset thread local state for the next request. This can lead to data\n\u003e being leaked to subsequent requests, especially when interacting with\n\u003e ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails\u0027\nExecutor implementation) causes information leakage.\n\n### Patches\n\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: https://github.com/advisories/GHSA-wh98-p28r-vrc9\nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1)\nincludes a middleware that can be used instead.\n",
      "id": "GSD-2022-23634",
      "modified": "2022-02-11T00:00:00.000Z",
      "published": "2022-02-11T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
        },
        {
          "type": "WEB",
          "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
        }
      ],
      "related": [
        "CVE-2022-23633",
        "GHSA-wh98-p28r-vrc9"
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 8.0,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Information Exposure with Puma when used with Rails"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-23634",
        "STATE": "PUBLIC",
        "TITLE": "Information Exposure when using Puma with Rails"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "puma",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 5.0.0, \u003c 5.6.2"
                        },
                        {
                          "version_value": "\u003c 4.3.11"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "puma"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
            "refsource": "CONFIRM",
            "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
          },
          {
            "name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
            "refsource": "MISC",
            "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
          },
          {
            "name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
          },
          {
            "name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
          },
          {
            "name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
            "refsource": "MISC",
            "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
          },
          {
            "name": "DSA-5146",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5146"
          },
          {
            "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
          },
          {
            "name": "GLSA-202208-28",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202208-28"
          },
          {
            "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
          },
          {
            "name": "FEDORA-2022-de968d1b6c",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
          },
          {
            "name": "FEDORA-2022-52d0032596",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
          },
          {
            "name": "FEDORA-2022-7c8b29195f",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-rmj8-8hhh-gv5h",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-23634",
      "cvss_v3": 8.0,
      "date": "2022-02-11",
      "description": "### Impact\n\nPrior to `puma` version `5.6.2`, `puma` may not always call\n`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the\nresponse body being closed in order for its `CurrentAttributes` implementation to\nwork correctly.\n\nFrom Rails:\n\n\u003e Under certain circumstances response bodies will not be closed, for example\n\u003e a bug in a webserver[1] or a bug in a Rack middleware. In the event a\n\u003e response is not notified of a close, ActionDispatch::Executor will not know\n\u003e to reset thread local state for the next request. This can lead to data\n\u003e being leaked to subsequent requests, especially when interacting with\n\u003e ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails\u0027\nExecutor implementation) causes information leakage.\n\n### Patches\n\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: https://github.com/advisories/GHSA-wh98-p28r-vrc9\nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1)\nincludes a middleware that can be used instead.\n",
      "gem": "puma",
      "ghsa": "rmj8-8hhh-gv5h",
      "patched_versions": [
        "~\u003e 4.3.11",
        "\u003e= 5.6.2"
      ],
      "related": {
        "cve": [
          "2022-23633"
        ],
        "ghsa": [
          "wh98-p28r-vrc9"
        ],
        "url": [
          "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
        ]
      },
      "title": "Information Exposure with Puma when used with Rails",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c4.3.11||\u003e=5.0.0 \u003c5.6.2",
          "affected_versions": "All versions before 4.3.11, all versions starting from 5.0.0 before 5.6.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-404",
            "CWE-937"
          ],
          "date": "2023-07-13",
          "description": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "fixed_versions": [],
          "identifier": "CVE-2022-23634",
          "identifiers": [
            "CVE-2022-23634",
            "GHSA-rmj8-8hhh-gv5h",
            "GHSA-wh98-p28r-vrc9"
          ],
          "not_impacted": "",
          "package_slug": "gem/gitlab-puma",
          "pubdate": "2022-02-11",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Information Exposure when using Puma with Rails",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23634",
            "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
            "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
            "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
            "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
          ],
          "uuid": "5d6e201c-6e97-42e7-9fe7-dae7e03478db"
        },
        {
          "affected_range": "\u003c4.3.11||\u003e=5.0.0 \u003c5.6.2",
          "affected_versions": "All versions before 4.3.11, all versions starting from 5.0.0 before 5.6.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-404",
            "CWE-937"
          ],
          "date": "2023-07-13",
          "description": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "fixed_versions": [
            "4.3.11",
            "5.6.2"
          ],
          "identifier": "CVE-2022-23634",
          "identifiers": [
            "CVE-2022-23634",
            "GHSA-rmj8-8hhh-gv5h",
            "GHSA-wh98-p28r-vrc9"
          ],
          "not_impacted": "All versions starting from 4.3.11 before 5.0.0, all versions starting from 5.6.2",
          "package_slug": "gem/puma",
          "pubdate": "2022-02-11",
          "solution": "Upgrade to versions 4.3.11, 5.6.2 or above.",
          "title": "Information Exposure when using Puma with Rails",
          "urls": [
            "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
            "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
            "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
            "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
          ],
          "uuid": "08779c8c-d71f-4221-aa91-aaa1e98674be"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.6.2",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.3.11",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.0.2.2",
                "versionStartIncluding": "7.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.1.4.6",
                "versionStartIncluding": "6.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.4.6",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.6.2",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23634"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-404"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
            },
            {
              "name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
            },
            {
              "name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Mitigation",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
            },
            {
              "name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
            },
            {
              "name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Not Applicable",
                "Third Party Advisory"
              ],
              "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
            },
            {
              "name": "DSA-5146",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5146"
            },
            {
              "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
            },
            {
              "name": "GLSA-202208-28",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202208-28"
            },
            {
              "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
            },
            {
              "name": "FEDORA-2022-de968d1b6c",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
            },
            {
              "name": "FEDORA-2022-52d0032596",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
            },
            {
              "name": "FEDORA-2022-7c8b29195f",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-07-13T16:31Z",
      "publishedDate": "2022-02-11T22:15Z"
    }
  }
}

OPENSUSE-SU-2024:11847-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.1-rubygem-puma-5.6.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.1-rubygem-puma-5.6.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-puma-5.6.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-11847

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.1-rubygem-puma-5.6.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.1-rubygem-puma-5.6.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11847",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11847-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "ruby3.1-rubygem-puma-5.6.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11847-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
                "product": {
                  "name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
                  "product_id": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        },
        "product_reference": "ruby3.1-rubygem-puma-5.6.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-puma-5.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

OPENSUSE-SU-2024:12900-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.2-rubygem-puma-6.0.0-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.2-rubygem-puma-6.0.0-2.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12900

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.2-rubygem-puma-6.0.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.2-rubygem-puma-6.0.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12900",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12900-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "ruby3.2-rubygem-puma-6.0.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12900-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
                "product": {
                  "name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
                  "product_id": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        },
        "product_reference": "ruby3.2-rubygem-puma-6.0.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-puma-6.0.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

OPENSUSE-SU-2024:13720-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.3-rubygem-puma-6.4.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.3-rubygem-puma-6.4.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13720

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

13 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-puma-6.4.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13720",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13720-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "ruby3.3-rubygem-puma-6.4.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13720-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-puma-6.4.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

OPENSUSE-SU-2025:15123-1

Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00

Summary

ruby3.4-rubygem-puma-6.4.3-1.3 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.4-rubygem-puma-6.4.3-1.3 on GA media

Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2025-15123

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-45614

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64	—	Vendor Fix

Threats

Impact moderate

References

18 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2024-45614/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external
https://www.suse.com/security/cve/CVE-2024-45614	external
https://bugzilla.suse.com/1230848	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15123",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15123-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:15123-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:15123-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45614 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45614/"
      }
    ],
    "title": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
    "tracking": {
      "current_release_date": "2025-05-17T00:00:00Z",
      "generator": {
        "date": "2025-05-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15123-1",
      "initial_release_date": "2025-05-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-05-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
                  "product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    },
    {
      "cve": "CVE-2024-45614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45614",
          "url": "https://www.suse.com/security/cve/CVE-2024-45614"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230848 for CVE-2024-45614",
          "url": "https://bugzilla.suse.com/1230848"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45614"
    }
  ]
}

OPENSUSE-SU-2026:10357-1

Vulnerability from csaf_opensuse - Published: 2026-03-13 00:00 - Updated: 2026-03-13 00:00

Summary

ruby4.0-rubygem-puma-6.4.3-1.5 on GA media

Severity

Moderate

Notes

Title of the patch: ruby4.0-rubygem-puma-6.4.3-1.5 on GA media

Description of the patch: These are all security issues fixed in the ruby4.0-rubygem-puma-6.4.3-1.5 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10357

CVE-2019-16770

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2020-11076

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-23634

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-45614

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64	—	Vendor Fix

Threats

Impact moderate

References

16 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2019-16770/	self
https://www.suse.com/security/cve/CVE-2020-11076/	self
https://www.suse.com/security/cve/CVE-2022-23634/	self
https://www.suse.com/security/cve/CVE-2024-45614/	self
https://www.suse.com/security/cve/CVE-2019-16770	external
https://bugzilla.suse.com/1158675	external
https://bugzilla.suse.com/1188527	external
https://www.suse.com/security/cve/CVE-2020-11076	external
https://bugzilla.suse.com/1172175	external
https://bugzilla.suse.com/1172176	external
https://www.suse.com/security/cve/CVE-2022-23634	external
https://bugzilla.suse.com/1196222	external
https://www.suse.com/security/cve/CVE-2024-45614	external
https://bugzilla.suse.com/1230848	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby4.0-rubygem-puma-6.4.3-1.5 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby4.0-rubygem-puma-6.4.3-1.5 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10357",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10357-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16770 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16770/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-11076 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-11076/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45614 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45614/"
      }
    ],
    "title": "ruby4.0-rubygem-puma-6.4.3-1.5 on GA media",
    "tracking": {
      "current_release_date": "2026-03-13T00:00:00Z",
      "generator": {
        "date": "2026-03-13T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10357-1",
      "initial_release_date": "2026-03-13T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-13T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
                "product": {
                  "name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
                  "product_id": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        },
        "product_reference": "ruby4.0-rubygem-puma-6.4.3-1.5.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-16770",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16770"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16770",
          "url": "https://www.suse.com/security/cve/CVE-2019-16770"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1158675 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1158675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2019-16770",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-16770"
    },
    {
      "cve": "CVE-2020-11076",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-11076"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-11076",
          "url": "https://www.suse.com/security/cve/CVE-2020-11076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172175 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172175"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172176 for CVE-2020-11076",
          "url": "https://bugzilla.suse.com/1172176"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-11076"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    },
    {
      "cve": "CVE-2024-45614",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45614"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
          "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45614",
          "url": "https://www.suse.com/security/cve/CVE-2024-45614"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1230848 for CVE-2024-45614",
          "url": "https://bugzilla.suse.com/1230848"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.aarch64",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.ppc64le",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.s390x",
            "openSUSE Tumbleweed:ruby4.0-rubygem-puma-6.4.3-1.5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-13T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45614"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-23634 (GCVE-0-2022-23634)

Impact

Patches

Workarounds

References

For more information

Tags

Sightings

Nomenclature