gsd-2019-16770
Vulnerability from gsd
Modified
2019-12-05 00:00
Details
A poorly-behaved client could use keepalive requests to monopolize
Puma's reactor and create a denial of service attack.
If more keepalive connections to Puma are opened than there are
threads available, additional connections will wait permanently if
the attacker sends requests frequently enough.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-16770",
"description": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.",
"id": "GSD-2019-16770",
"references": [
"https://www.suse.com/security/cve/CVE-2019-16770.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma",
"purl": "pkg:gem/puma"
}
}
],
"aliases": [
"CVE-2019-16770",
"GHSA-7xx3-m584-x994"
],
"details": "A poorly-behaved client could use keepalive requests to monopolize\nPuma\u0027s reactor and create a denial of service attack.\n\nIf more keepalive connections to Puma are opened than there are\nthreads available, additional connections will wait permanently if\nthe attacker sends requests frequently enough.\n",
"id": "GSD-2019-16770",
"modified": "2019-12-05T00:00:00.000Z",
"published": "2019-12-05T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
},
{
"score": 8.8,
"type": "CVSS_V3"
}
],
"summary": "Keepalive thread overload/DoS in puma"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16770",
"STATE": "PUBLIC",
"TITLE": "Potential DOS attack in Puma"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "puma",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 4.3.1",
"version_value": "4.3.1"
}
]
}
}
]
},
"vendor_name": "puma"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-770 Allocation of Resources Without Limits or Throttling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994",
"refsource": "CONFIRM",
"url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
}
]
},
"source": {
"advisory": "GHSA-7xx3-m584-x994",
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma\u0027s thread pool."
}
]
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2019-16770",
"cvss_v2": 6.8,
"cvss_v3": 8.8,
"date": "2019-12-05",
"description": "A poorly-behaved client could use keepalive requests to monopolize\nPuma\u0027s reactor and create a denial of service attack.\n\nIf more keepalive connections to Puma are opened than there are\nthreads available, additional connections will wait permanently if\nthe attacker sends requests frequently enough.\n",
"gem": "puma",
"ghsa": "7xx3-m584-x994",
"patched_versions": [
"~\u003e 3.12.2",
"\u003e= 4.3.1"
],
"title": "Keepalive thread overload/DoS in puma",
"url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.0.0 \u003c3.12.2||\u003e=4.0.0 \u003c4.3.1",
"affected_versions": "All versions starting from 3.0.0 before 3.12.2, all versions starting from 4.0.0 before 4.3.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-770",
"CWE-937"
],
"date": "2019-12-19",
"description": "In GitLab Puma, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.",
"fixed_versions": [
"3.12.2",
"4.3.1"
],
"identifier": "CVE-2019-16770",
"identifiers": [
"CVE-2019-16770",
"GHSA-7xx3-m584-x994"
],
"not_impacted": "All versions before 3.0.0, all versions starting from 3.12.2 before 4.0.0, all versions starting from 4.3.1",
"package_slug": "gem/gitlab-puma",
"pubdate": "2019-12-05",
"solution": "Upgrade to versions 3.12.2, 4.3.1 or above.",
"title": "Allocation of Resources Without Limits or Throttling",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-16770"
],
"uuid": "c94fccf6-ebf7-470a-bc2e-a04760158034"
},
{
"affected_range": "\u003e=3.0.0 \u003c3.12.2||\u003e=4.0.0 \u003c4.3.1",
"affected_versions": "All versions starting from 3.0.0 before 3.12.2, all versions starting from 4.0.0 before 4.3.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-770",
"CWE-937"
],
"date": "2019-12-19",
"description": "In Puma, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.",
"fixed_versions": [
"3.12.2",
"4.3.1"
],
"identifier": "CVE-2019-16770",
"identifiers": [
"CVE-2019-16770",
"GHSA-7xx3-m584-x994"
],
"not_impacted": "All versions before 3.0.0, all versions starting from 3.12.2 before 4.0.0, all versions starting from 4.3.1",
"package_slug": "gem/puma",
"pubdate": "2019-12-05",
"solution": "Upgrade to versions 3.12.2, 4.3.1 or above.",
"title": "Allocation of Resources Without Limits or Throttling",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-16770"
],
"uuid": "855d4255-6625-4349-b9d9-b8df7a97e7f5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.12.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "4.3.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16770"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma\u0027s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994",
"refsource": "CONFIRM",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"
},
{
"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-10-08T02:42Z",
"publishedDate": "2019-12-05T20:15Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.