CVE-2019-16770
Potential DOS attack in Puma
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
En Puma, anterior a las versiones 3.12.2 y 4.3.1, un cliente con mal comportamiento podría utilizar solicitudes de keepalive para monopolizar el reactor de Puma y crear un ataque de denegación de servicio. Si se abren más conexiones keepalive a Puma que hilos disponibles, las conexiones adicionales esperarán permanentemente si el atacante envía solicitudes con la suficiente frecuencia. Esta vulnerabilidad está reparada en Puma 4.3.1 y 3.12.2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-09-24 CVE Reserved
- 2019-12-05 CVE Published
- 2024-03-30 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 | Mitigation | |
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Puma Search vendor "Puma" | Puma Search vendor "Puma" for product "Puma" | >= 3.0.0 < 3.12.2 Search vendor "Puma" for product "Puma" and version " >= 3.0.0 < 3.12.2" | ruby |
Affected
| ||||||
Puma Search vendor "Puma" | Puma Search vendor "Puma" for product "Puma" | >= 4.0.0 < 4.3.1 Search vendor "Puma" for product "Puma" and version " >= 4.0.0 < 4.3.1" | ruby |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
|