CVE-2022-24790
HTTP Request Smuggling in puma
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Puma es un servidor HTTP versión 1.1 simple, rápido, multihilo y paralelo para aplicaciones Ruby/Rack. Cuando es usado Puma detrás de un proxy que no comprueba apropiadamente que la petición HTTP entrante coincide con el estándar RFC7230, Puma y el proxy del frontend pueden no estar de acuerdo en dónde empieza y termina una petición. Esto permitiría contrabandear peticiones por medio del proxy del front-end a Puma. La vulnerabilidad ha sido corregida en versiones 5.6.4 y 4.3.12. Se recomienda a usuarios actualizar lo antes posible. Mitigación: cuando despliegue un proxy frente a Puma, habilite todas las funciones para asegurarse de que la petición se ajusta al estándar RFC7230
A HTTP request smuggling flaw was found in puma. This issue occurs when using puma behind a proxy. Puma does not validate incoming HTTP requests, as per RFC specification, leading to loss of integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-03-30 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9 | Issue Tracking | |
| https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Puma Search vendor "Puma" | Puma Search vendor "Puma" for product "Puma" | < 4.3.12 Search vendor "Puma" for product "Puma" and version " < 4.3.12" | ruby |
Affected
| ||||||
| Puma Search vendor "Puma" | Puma Search vendor "Puma" for product "Puma" | >= 5.0.0 < 5.6.4 Search vendor "Puma" for product "Puma" and version " >= 5.0.0 < 5.6.4" | ruby |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||