Published: 05/12/2019 Updated: 08/10/2022

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

In Puma prior to 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Vulnerable Product	Search on Vulmon	Subscribe to Product
puma puma
debian debian linux 9.0

Debian Bug report logs - #953122 puma: CVE-2020-5249 Package: src:puma; Maintainer for src:puma is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 4 Mar 2020 21:03:01 UTC Severity: important Tags: bullseye, buster, ...

Debian Bug report logs - #946312 puma: CVE-2019-16770 Package: src:puma; Maintainer for src:puma is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 6 Dec 2019 22:18:01 UTC Severity: important Tags: security, upstre ...

Debian Bug report logs - #989054 puma: CVE-2021-29509: Keepalive Connections Causing Denial Of Service in puma Package: src:puma; Maintainer for src:puma is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 24 May 2021 19:18:02 UTC ...

CWE-770 https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122

CVE-2019-16770

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect