CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0CVE-2021-29509 – Keepalive Connections Causing Denial Of Service in puma
https://notcve.org/view.php?id=CVE-2021-29509
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. • https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837 https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 https://github.com/puma/puma/security/policy https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html https://rubygems.org/gems/puma https://security.gentoo.org/glsa/202208-28 https://access.redhat.com/security/cve/CVE-2021-29509 https://bugzilla.redhat.com/show_bug.cgi?id=1964874 • CWE-400: Uncontrolled Resource Consumption CWE-667: Improper Locking •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-11077 – HTTP Smuggling via Transfer-Encoding Header in Puma
https://notcve.org/view.php?id=CVE-2020-11077
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22 https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-11076 – HTTP Smuggling via Transfer-Encoding Header in Puma
https://notcve.org/view.php?id=CVE-2020-11076
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. En Puma (RubyGem) versiones anteriores a 4.3.4 y 3.12.5, un atacante podría hacer pasar sin autorización una respuesta HTTP, mediante el uso de un encabezado de codificación transfer no válido. El problema ha sido corregido en Puma versión 3.12.5 y Puma versión 4.3.4. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22 https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html https://lists.fedoraproject.org/archives/list/package-announ • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5249 – HTTP Response Splitting (Early Hints) in Puma
https://notcve.org/view.php?id=CVE-2020-5249
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4. • https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3 https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproje • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 1%CPEs: 11EXPL: 0CVE-2020-5247 – HTTP Response Splitting in Puma
https://notcve.org/view.php?id=CVE-2020-5247
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. • https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD https://owasp.org/www-communi • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •