Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2022-23634

Published: 11/02/2022 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Puma

Vulnerability Summary

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

puma puma

rubyonrails rails

debian debian linux 9.0

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 35

fedoraproject fedora 36

fedoraproject fedora 37

Vendor Advisories

Red Hat: Moderate: Satellite 6.11 Release
Synopsis Moderate: Satellite 611 Release Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Satellite 611 Description Red Hat Satellite is a systems management tool for Linux-basedin ...
Debian CVElist Bug Report Logs: puma: CVE-2022-23634
Debian Bug report logs - #1005391 puma: CVE-2022-23634 Package: src:puma; Maintainer for src:puma is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 12 Feb 2022 18:54:04 UTC Severity: important Tags: security, upstream Found in ...
Debian Security Advisories: DSA-5146-1 puma -- security update
Multiple security vulnerabilities were discovered in Puma, a HTTP server for Ruby/Rack applications, which could result in HTTP request smuggling or information disclosure For the stable distribution (bullseye), this problem has been fixed in version 438-1+deb11u2 We recommend that you upgrade your puma packages For the detailed security statu ...
Red Hat: CVE-2022-23634
Puma is a Ruby/Rack web server built for parallelism Prior to `puma` version `562`, `puma` may not always call `close` on the response body Rails, prior to version `7022`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly The combination of these two behaviors (Puma not closing ...
Arch Linux Issues:
Severity Unknown Remote Unknown Type Unknown Description AVG-2764 ruby-puma 563-1 564-1 Medium Unknown ...
Amazon Linux 2022: ALAS2022-2022-051
A flaw was found in rubygem-puma The fix for CVE-2019-16770 was incomplete The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process However, new connections may still be starved by greedy persistent-connection ...

References

CWE-404https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5hhttps://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bbhttps://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1https://github.com/advisories/GHSA-rmj8-8hhh-gv5hhttps://github.com/advisories/GHSA-wh98-p28r-vrc9https://www.debian.org/security/2022/dsa-5146https://lists.debian.org/debian-lts-announce/2022/05/msg00034.htmlhttps://security.gentoo.org/glsa/202208-28https://lists.debian.org/debian-lts-announce/2022/08/msg00015.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/https://access.redhat.com/errata/RHSA-2022:5498https://nvd.nist.govhttps://www.debian.org/security/2022/dsa-5146
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4671unauthorizedCVE-2024-4776CVE-2024-3407CVE-2024-26026CVE-2024-32888wirelessCVE-2024-4656template injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook