// For flags

CVE-2022-24790

HTTP Request Smuggling in puma

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

Puma es un servidor HTTP versión 1.1 simple, rápido, multihilo y paralelo para aplicaciones Ruby/Rack. Cuando es usado Puma detrás de un proxy que no comprueba apropiadamente que la petición HTTP entrante coincide con el estándar RFC7230, Puma y el proxy del frontend pueden no estar de acuerdo en dónde empieza y termina una petición. Esto permitiría contrabandear peticiones por medio del proxy del front-end a Puma. La vulnerabilidad ha sido corregida en versiones 5.6.4 y 4.3.12. Se recomienda a usuarios actualizar lo antes posible. Mitigación: cuando despliegue un proxy frente a Puma, habilite todas las funciones para asegurarse de que la petición se ajusta al estándar RFC7230

A HTTP request smuggling flaw was found in puma. This issue occurs when using puma behind a proxy. Puma does not validate incoming HTTP requests, as per RFC specification, leading to loss of integrity.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-03-30 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-11-03 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Puma
Search vendor "Puma"
Puma
Search vendor "Puma" for product "Puma"
< 4.3.12
Search vendor "Puma" for product "Puma" and version " < 4.3.12"
ruby
Affected
Puma
Search vendor "Puma"
Puma
Search vendor "Puma" for product "Puma"
>= 5.0.0 < 5.6.4
Search vendor "Puma" for product "Puma" and version " >= 5.0.0 < 5.6.4"
ruby
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected