Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2022-24790

Published: 30/03/2022 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Puma

Vulnerability Summary

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

puma puma

debian debian linux 10.0

debian debian linux 11.0

fedoraproject fedora 35

fedoraproject fedora 36

fedoraproject fedora 37

Vendor Advisories

Debian CVElist Bug Report Logs: puma: CVE-2022-24790 - Inconsistent Interpretation of HTTP Requests
Debian Bug report logs - #1008723 puma: CVE-2022-24790 - Inconsistent Interpretation of HTTP Requests Package: src:puma; Maintainer for src:puma is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Neil Williams <codehelp@debianorg> Date: Thu, 31 Mar 2022 09:15:01 UTC Severity: imp ...
Red Hat: Important: Red Hat Gluster Storage web-admin-build security update
Synopsis Important: Red Hat Gluster Storage web-admin-build security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Gluster Storage 35 for RHEL 7Red Hat Product Security ha ...
Red Hat: Important: Satellite 6.9.10 Async Security Update
Synopsis Important: Satellite 6910 Async Security Update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Updated Satellite 69 packages that fix several bugs are now available for Red Hat Satellite Description Red Ha ...
Debian Security Advisories: DSA-5146-1 puma -- security update
Multiple security vulnerabilities were discovered in Puma, a HTTP server for Ruby/Rack applications, which could result in HTTP request smuggling or information disclosure For the stable distribution (bullseye), this problem has been fixed in version 438-1+deb11u2 We recommend that you upgrade your puma packages For the detailed security statu ...
Red Hat:
Puma is a simple, fast, multi-threaded, parallel HTTP 11 server for Ruby/Rack applications When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends This would allow requests to be smuggled via the front-e ...
Arch Linux Issues:
Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends This would allow requests to be smuggled via the front-end proxy to Puma ...
Amazon Linux 2022: ALAS2022-2022-051
A flaw was found in rubygem-puma The fix for CVE-2019-16770 was incomplete The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process However, new connections may still be starved by greedy persistent-connection ...

References

CWE-444https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9https://www.debian.org/security/2022/dsa-5146https://security.gentoo.org/glsa/202208-28https://lists.debian.org/debian-lts-announce/2022/08/msg00015.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723https://nvd.nist.govhttps://www.debian.org/security/2022/dsa-5146
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
race conditionCVE-2024-4249CVE-2024-4244CVE-2023-20198TCPCVE-2022-48648CVE-2022-48636CVE-2024-21345SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook