Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-45614 (GCVE-0-2024-45614)
Vulnerability from cvelistv5 – Published: 2024-09-19 22:42 – Updated: 2025-11-03 22:15
VLAI?
EPSS
Summary
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Severity ?
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T13:54:35.745068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T13:54:50.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:15:51.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "puma",
"vendor": "puma",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.4.3"
},
{
"status": "affected",
"version": "\u003c 5.6.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T22:42:33.974Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"
},
{
"name": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers",
"tags": [
"x_refsource_MISC"
],
"url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"
}
],
"source": {
"advisory": "GHSA-9hf4-67fc-4vf4",
"discovery": "UNKNOWN"
},
"title": "Header normalization allows for client to clobber proxy set headers in Puma"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45614",
"datePublished": "2024-09-19T22:42:33.974Z",
"dateReserved": "2024-09-02T16:00:02.425Z",
"dateUpdated": "2025-11-03T22:15:51.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\", \"versionEndExcluding\": \"5.6.9\", \"matchCriteriaId\": \"97372632-D7E2-4DE6-A0CB-4191EF627AF4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.4.3\", \"matchCriteriaId\": \"70AE8ED4-BC0B-4714-9B00-EF4A321DACAC\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.\"}, {\"lang\": \"es\", \"value\": \"Puma es un servidor web Ruby/Rack creado para el paralelismo. En las versiones afectadas, los clientes pod\\u00edan alterar los valores establecidos por los servidores proxy intermedios (como X-Forwarded-For) al proporcionar una versi\\u00f3n con guiones bajos del mismo encabezado (X-Forwarded_For). Todos los usuarios que dependan de las variables establecidas por el proxy se ven afectados. v6.4.3/v5.6.9 ahora descarta cualquier encabezado que utilice guiones bajos si tambi\\u00e9n existe la versi\\u00f3n sin guiones bajos. De hecho, permite que los encabezados definidos por el proxy siempre prevalezcan. Se recomienda a los usuarios que actualicen. Nginx tiene una variable de configuraci\\u00f3n underscores_in_headers para descartar estos encabezados a nivel de proxy como mitigaci\\u00f3n. Todos los usuarios que conf\\u00eden impl\\u00edcitamente en los encabezados definidos por el proxy por razones de seguridad deben dejar de hacerlo de inmediato hasta que se actualicen a las versiones corregidas.\"}]",
"id": "CVE-2024-45614",
"lastModified": "2024-09-26T13:28:30.537",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 2.7}]}",
"published": "2024-09-19T23:15:11.703",
"references": "[{\"url\": \"https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45614\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-19T23:15:11.703\",\"lastModified\":\"2025-11-03T23:15:51.233\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.\"},{\"lang\":\"es\",\"value\":\"Puma es un servidor web Ruby/Rack creado para el paralelismo. En las versiones afectadas, los clientes pod\u00edan alterar los valores establecidos por los servidores proxy intermedios (como X-Forwarded-For) al proporcionar una versi\u00f3n con guiones bajos del mismo encabezado (X-Forwarded_For). Todos los usuarios que dependan de las variables establecidas por el proxy se ven afectados. v6.4.3/v5.6.9 ahora descarta cualquier encabezado que utilice guiones bajos si tambi\u00e9n existe la versi\u00f3n sin guiones bajos. De hecho, permite que los encabezados definidos por el proxy siempre prevalezcan. Se recomienda a los usuarios que actualicen. Nginx tiene una variable de configuraci\u00f3n underscores_in_headers para descartar estos encabezados a nivel de proxy como mitigaci\u00f3n. Todos los usuarios que conf\u00eden impl\u00edcitamente en los encabezados definidos por el proxy por razones de seguridad deben dejar de hacerlo de inmediato hasta que se actualicen a las versiones corregidas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"5.6.9\",\"matchCriteriaId\":\"97372632-D7E2-4DE6-A0CB-4191EF627AF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.4.3\",\"matchCriteriaId\":\"70AE8ED4-BC0B-4714-9B00-EF4A321DACAC\"}]}]}],\"references\":[{\"url\":\"https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:15:51.621Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45614\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-20T13:54:35.745068Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-20T13:54:46.693Z\"}}], \"cna\": {\"title\": \"Header normalization allows for client to clobber proxy set headers in Puma\", \"source\": {\"advisory\": \"GHSA-9hf4-67fc-4vf4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"puma\", \"product\": \"puma\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 6.0.0, \u003c 6.4.3\"}, {\"status\": \"affected\", \"version\": \"\u003c 5.6.9\"}]}], \"references\": [{\"url\": \"https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4\", \"name\": \"https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers\", \"name\": \"https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-19T22:42:33.974Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45614\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T22:15:51.621Z\", \"dateReserved\": \"2024-09-02T16:00:02.425Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-19T22:42:33.974Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
OPENSUSE-SU-2024:14474-1
Vulnerability from csaf_opensuse - Published: 2024-11-07 00:00 - Updated: 2024-11-07 00:00Summary
ruby3.3-rubygem-puma-6.4.3-1.1 on GA media
Notes
Title of the patch
ruby3.3-rubygem-puma-6.4.3-1.1 on GA media
Description of the patch
These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14474
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-puma-6.4.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-puma-6.4.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14474",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14474-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14474-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KEQC6VXDRLKMORIMGPTEWYXJTS5FJNNK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14474-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KEQC6VXDRLKMORIMGPTEWYXJTS5FJNNK/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "ruby3.3-rubygem-puma-6.4.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-11-07T00:00:00Z",
"generator": {
"date": "2024-11-07T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14474-1",
"initial_release_date": "2024-11-07T00:00:00Z",
"revision_history": [
{
"date": "2024-11-07T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.aarch64",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.aarch64",
"product_id": "ruby3.3-rubygem-puma-6.4.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le",
"product_id": "ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.s390x",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.s390x",
"product_id": "ruby3.3-rubygem-puma-6.4.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.x86_64",
"product": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.x86_64",
"product_id": "ruby3.3-rubygem-puma-6.4.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.aarch64"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.s390x"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-puma-6.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.x86_64"
},
"product_reference": "ruby3.3-rubygem-puma-6.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-puma-6.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-07T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
OPENSUSE-SU-2025:15123-1
Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00Summary
ruby3.4-rubygem-puma-6.4.3-1.3 on GA media
Notes
Title of the patch
ruby3.4-rubygem-puma-6.4.3-1.3 on GA media
Description of the patch
These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15123
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.4-rubygem-puma-6.4.3-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15123",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15123-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:15123-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:15123-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4HTCFDLUCKJZXX35RHXSTQHMCPIT5GOW/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-16770 page",
"url": "https://www.suse.com/security/cve/CVE-2019-16770/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11076 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11076/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23634 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23634/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "ruby3.4-rubygem-puma-6.4.3-1.3 on GA media",
"tracking": {
"current_release_date": "2025-05-17T00:00:00Z",
"generator": {
"date": "2025-05-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15123-1",
"initial_release_date": "2025-05-17T00:00:00Z",
"revision_history": [
{
"date": "2025-05-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
"product": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
"product_id": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
},
"product_reference": "ruby3.4-rubygem-puma-6.4.3-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-16770",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-16770"
}
],
"notes": [
{
"category": "general",
"text": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-16770",
"url": "https://www.suse.com/security/cve/CVE-2019-16770"
},
{
"category": "external",
"summary": "SUSE Bug 1158675 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1158675"
},
{
"category": "external",
"summary": "SUSE Bug 1188527 for CVE-2019-16770",
"url": "https://bugzilla.suse.com/1188527"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-16770"
},
{
"cve": "CVE-2020-11076",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11076"
}
],
"notes": [
{
"category": "general",
"text": "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11076",
"url": "https://www.suse.com/security/cve/CVE-2020-11076"
},
{
"category": "external",
"summary": "SUSE Bug 1172175 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172175"
},
{
"category": "external",
"summary": "SUSE Bug 1172176 for CVE-2020-11076",
"url": "https://bugzilla.suse.com/1172176"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11076"
},
{
"cve": "CVE-2022-23634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23634"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23634",
"url": "https://www.suse.com/security/cve/CVE-2022-23634"
},
{
"category": "external",
"summary": "SUSE Bug 1196222 for CVE-2022-23634",
"url": "https://bugzilla.suse.com/1196222"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23634"
},
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-puma-6.4.3-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
SUSE-SU-2025:03467-1
Vulnerability from csaf_suse - Published: 2025-10-07 11:34 - Updated: 2025-10-07 11:34Summary
Security update for rubygem-puma
Notes
Title of the patch
Security update for rubygem-puma
Description of the patch
This update for rubygem-puma fixes the following issues:
Update to version 5.6.9.
- CVE-2024-45614: improper header normalization allows for clients to clobber proxy set headers, which can lead to
information leaks (bsc#1230848, fixed in an earlier update).
- CVE-2024-21647: unbounded resource consumption due to invalid parsing of chunked encoding in HTTP/1.1 can lead to
denial-of-service attacks (bsc#1218638, fixed in an earlier update)
- CVE-2023-40175: incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length
headers can lead to HTTP request smuggling attacks (bsc#1214425, fixed in an earlier update).
Patchnames
SUSE-2025-3467,SUSE-SLE-Product-HA-15-SP6-2025-3467,SUSE-SLE-Product-HA-15-SP7-2025-3467,openSUSE-SLE-15.6-2025-3467
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-puma",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-puma fixes the following issues:\n\nUpdate to version 5.6.9.\n\n- CVE-2024-45614: improper header normalization allows for clients to clobber proxy set headers, which can lead to\n information leaks (bsc#1230848, fixed in an earlier update).\n- CVE-2024-21647: unbounded resource consumption due to invalid parsing of chunked encoding in HTTP/1.1 can lead to\n denial-of-service attacks (bsc#1218638, fixed in an earlier update)\n- CVE-2023-40175: incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length\n headers can lead to HTTP request smuggling attacks (bsc#1214425, fixed in an earlier update).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3467,SUSE-SLE-Product-HA-15-SP6-2025-3467,SUSE-SLE-Product-HA-15-SP7-2025-3467,openSUSE-SLE-15.6-2025-3467",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03467-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03467-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503467-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03467-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042012.html"
},
{
"category": "self",
"summary": "SUSE Bug 1214425",
"url": "https://bugzilla.suse.com/1214425"
},
{
"category": "self",
"summary": "SUSE Bug 1218638",
"url": "https://bugzilla.suse.com/1218638"
},
{
"category": "self",
"summary": "SUSE Bug 1230848",
"url": "https://bugzilla.suse.com/1230848"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-40175 page",
"url": "https://www.suse.com/security/cve/CVE-2023-40175/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-21647 page",
"url": "https://www.suse.com/security/cve/CVE-2024-21647/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "Security update for rubygem-puma",
"tracking": {
"current_release_date": "2025-10-07T11:34:07Z",
"generator": {
"date": "2025-10-07T11:34:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03467-1",
"initial_release_date": "2025-10-07T11:34:07Z",
"revision_history": [
{
"date": "2025-10-07T11:34:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.i586",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.i586",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.i586"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.i586",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.i586",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP6",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP7",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP7",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP7",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP7",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-40175",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-40175"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-40175",
"url": "https://www.suse.com/security/cve/CVE-2023-40175"
},
{
"category": "external",
"summary": "SUSE Bug 1214425 for CVE-2023-40175",
"url": "https://bugzilla.suse.com/1214425"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-07T11:34:07Z",
"details": "important"
}
],
"title": "CVE-2023-40175"
},
{
"cve": "CVE-2024-21647",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-21647"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-21647",
"url": "https://www.suse.com/security/cve/CVE-2024-21647"
},
{
"category": "external",
"summary": "SUSE Bug 1218638 for CVE-2024-21647",
"url": "https://bugzilla.suse.com/1218638"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-07T11:34:07Z",
"details": "moderate"
}
],
"title": "CVE-2024-21647"
},
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-5.6.9-150600.18.3.1.x86_64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.aarch64",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.ppc64le",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.s390x",
"openSUSE Leap 15.6:ruby2.5-rubygem-puma-doc-5.6.9-150600.18.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-07T11:34:07Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
SUSE-SU-2024:3644-1
Vulnerability from csaf_suse - Published: 2024-10-16 06:55 - Updated: 2024-10-16 06:55Summary
Security update for rubygem-puma
Notes
Title of the patch
Security update for rubygem-puma
Description of the patch
This update for rubygem-puma fixes the following issues:
- CVE-2024-45614: Prevent underscores from clobbering hyphen headers (bsc#1230848).
- CVE-2024-21647: Fixed DoS when parsing chunked Transfer-Encoding bodies (bsc#1218638).
Patchnames
SUSE-2024-3644,SUSE-SLE-Product-HA-15-SP2-2024-3644,SUSE-SLE-Product-HA-15-SP3-2024-3644,SUSE-SLE-Product-HA-15-SP4-2024-3644,SUSE-SLE-Product-HA-15-SP5-2024-3644,openSUSE-SLE-15.5-2024-3644
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-puma",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-puma fixes the following issues:\n\n- CVE-2024-45614: Prevent underscores from clobbering hyphen headers (bsc#1230848).\n- CVE-2024-21647: Fixed DoS when parsing chunked Transfer-Encoding bodies (bsc#1218638).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-3644,SUSE-SLE-Product-HA-15-SP2-2024-3644,SUSE-SLE-Product-HA-15-SP3-2024-3644,SUSE-SLE-Product-HA-15-SP4-2024-3644,SUSE-SLE-Product-HA-15-SP5-2024-3644,openSUSE-SLE-15.5-2024-3644",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3644-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:3644-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20243644-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:3644-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019615.html"
},
{
"category": "self",
"summary": "SUSE Bug 1218638",
"url": "https://bugzilla.suse.com/1218638"
},
{
"category": "self",
"summary": "SUSE Bug 1230848",
"url": "https://bugzilla.suse.com/1230848"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-21647 page",
"url": "https://www.suse.com/security/cve/CVE-2024-21647/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "Security update for rubygem-puma",
"tracking": {
"current_release_date": "2024-10-16T06:55:11Z",
"generator": {
"date": "2024-10-16T06:55:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:3644-1",
"initial_release_date": "2024-10-16T06:55:11Z",
"revision_history": [
{
"date": "2024-10-16T06:55:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"product_id": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"product_id": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.i586",
"product": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.i586",
"product_id": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.i586"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.i586",
"product": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.i586",
"product_id": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"product_id": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"product_id": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"product": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"product_id": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"product": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"product_id": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"product_id": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64",
"product_id": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-21647",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-21647"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-21647",
"url": "https://www.suse.com/security/cve/CVE-2024-21647"
},
{
"category": "external",
"summary": "SUSE Bug 1218638 for CVE-2024-21647",
"url": "https://bugzilla.suse.com/1218638"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T06:55:11Z",
"details": "moderate"
}
],
"title": "CVE-2024-21647"
},
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-4.3.12-150000.3.15.1.x86_64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.aarch64",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.ppc64le",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.s390x",
"openSUSE Leap 15.5:ruby2.5-rubygem-puma-doc-4.3.12-150000.3.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T06:55:11Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
SUSE-SU-2025:03466-1
Vulnerability from csaf_suse - Published: 2025-10-07 11:33 - Updated: 2025-10-07 11:33Summary
Security update for rubygem-puma
Notes
Title of the patch
Security update for rubygem-puma
Description of the patch
This update for rubygem-puma fixes the following issues:
Update to version 5.6.9.
- CVE-2024-45614: improper header normalization allows for clients to clobber proxy set headers, which can lead to
information leaks (bsc#1230848, fixed in an earlier update).
- CVE-2024-21647: unbounded resource consumption due to invalid parsing of chunked encoding in HTTP/1.1 can lead to
denial-of-service attacks (bsc#1218638, fixed in an earlier update)
- CVE-2023-40175: incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length
headers can lead to HTTP request smuggling attacks (bsc#1214425, fixed in an earlier update).
Patchnames
SUSE-2025-3466,SUSE-SLE-Product-HA-15-SP3-2025-3466,SUSE-SLE-Product-HA-15-SP4-2025-3466,SUSE-SLE-Product-HA-15-SP5-2025-3466
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-puma",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-puma fixes the following issues:\n\nUpdate to version 5.6.9.\n\n- CVE-2024-45614: improper header normalization allows for clients to clobber proxy set headers, which can lead to\n information leaks (bsc#1230848, fixed in an earlier update).\n- CVE-2024-21647: unbounded resource consumption due to invalid parsing of chunked encoding in HTTP/1.1 can lead to\n denial-of-service attacks (bsc#1218638, fixed in an earlier update)\n- CVE-2023-40175: incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length\n headers can lead to HTTP request smuggling attacks (bsc#1214425, fixed in an earlier update).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3466,SUSE-SLE-Product-HA-15-SP3-2025-3466,SUSE-SLE-Product-HA-15-SP4-2025-3466,SUSE-SLE-Product-HA-15-SP5-2025-3466",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03466-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03466-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503466-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03466-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042013.html"
},
{
"category": "self",
"summary": "SUSE Bug 1214425",
"url": "https://bugzilla.suse.com/1214425"
},
{
"category": "self",
"summary": "SUSE Bug 1218638",
"url": "https://bugzilla.suse.com/1218638"
},
{
"category": "self",
"summary": "SUSE Bug 1230848",
"url": "https://bugzilla.suse.com/1230848"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-40175 page",
"url": "https://www.suse.com/security/cve/CVE-2023-40175/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-21647 page",
"url": "https://www.suse.com/security/cve/CVE-2024-21647/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45614 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45614/"
}
],
"title": "Security update for rubygem-puma",
"tracking": {
"current_release_date": "2025-10-07T11:33:53Z",
"generator": {
"date": "2025-10-07T11:33:53Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03466-1",
"initial_release_date": "2025-10-07T11:33:53Z",
"revision_history": [
{
"date": "2025-10-07T11:33:53Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.aarch64",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.i586",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.i586",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.i586"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.i586",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.i586",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.ppc64le",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.s390x",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.s390x",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"product_id": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.x86_64",
"product_id": "ruby2.5-rubygem-puma-doc-5.6.9-150000.3.18.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-40175",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-40175"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-40175",
"url": "https://www.suse.com/security/cve/CVE-2023-40175"
},
{
"category": "external",
"summary": "SUSE Bug 1214425 for CVE-2023-40175",
"url": "https://bugzilla.suse.com/1214425"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-07T11:33:53Z",
"details": "important"
}
],
"title": "CVE-2023-40175"
},
{
"cve": "CVE-2024-21647",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-21647"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.\n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-21647",
"url": "https://www.suse.com/security/cve/CVE-2024-21647"
},
{
"category": "external",
"summary": "SUSE Bug 1218638 for CVE-2024-21647",
"url": "https://bugzilla.suse.com/1218638"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-07T11:33:53Z",
"details": "moderate"
}
],
"title": "CVE-2024-21647"
},
{
"cve": "CVE-2024-45614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45614"
}
],
"notes": [
{
"category": "general",
"text": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45614",
"url": "https://www.suse.com/security/cve/CVE-2024-45614"
},
{
"category": "external",
"summary": "SUSE Bug 1230848 for CVE-2024-45614",
"url": "https://bugzilla.suse.com/1230848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-puma-5.6.9-150000.3.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-07T11:33:53Z",
"details": "moderate"
}
],
"title": "CVE-2024-45614"
}
]
}
FKIE_CVE-2024-45614
Vulnerability from fkie_nvd - Published: 2024-09-19 23:15 - Updated: 2025-11-03 23:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "97372632-D7E2-4DE6-A0CB-4191EF627AF4",
"versionEndExcluding": "5.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "70AE8ED4-BC0B-4714-9B00-EF4A321DACAC",
"versionEndExcluding": "6.4.3",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."
},
{
"lang": "es",
"value": "Puma es un servidor web Ruby/Rack creado para el paralelismo. En las versiones afectadas, los clientes pod\u00edan alterar los valores establecidos por los servidores proxy intermedios (como X-Forwarded-For) al proporcionar una versi\u00f3n con guiones bajos del mismo encabezado (X-Forwarded_For). Todos los usuarios que dependan de las variables establecidas por el proxy se ven afectados. v6.4.3/v5.6.9 ahora descarta cualquier encabezado que utilice guiones bajos si tambi\u00e9n existe la versi\u00f3n sin guiones bajos. De hecho, permite que los encabezados definidos por el proxy siempre prevalezcan. Se recomienda a los usuarios que actualicen. Nginx tiene una variable de configuraci\u00f3n underscores_in_headers para descartar estos encabezados a nivel de proxy como mitigaci\u00f3n. Todos los usuarios que conf\u00eden impl\u00edcitamente en los encabezados definidos por el proxy por razones de seguridad deben dejar de hacerlo de inmediato hasta que se actualicen a las versiones corregidas."
}
],
"id": "CVE-2024-45614",
"lastModified": "2025-11-03T23:15:51.233",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-19T23:15:11.703",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-9HF4-67FC-4VF4
Vulnerability from github – Published: 2024-09-20 14:40 – Updated: 2025-11-04 16:53
VLAI?
Summary
Puma's header normalization allows for client to clobber proxy set headers
Details
Impact
Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.
Patches
v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.
Workarounds
Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level.
Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45614"
],
"database_specific": {
"cwe_ids": [
"CWE-444",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-20T14:40:16Z",
"nvd_published_at": "2024-09-19T23:15:11Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nClients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. \n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.",
"id": "GHSA-9hf4-67fc-4vf4",
"modified": "2025-11-04T16:53:06Z",
"published": "2024-09-20T14:40:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
},
{
"type": "WEB",
"url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Puma\u0027s header normalization allows for client to clobber proxy set headers"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…