ALT-PU-2023-1093-2

Package update gem-puma in branch sisyphus

Version5.6.5-alt1

Published2026-02-04

Max severityCRITICAL

Severity:

Closed issues (3)

CRITICAL9.1

Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-10-04Modified: 2024-11-06

CVSS 3.xCRITICAL 9.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 2.0CRITICAL 9.4

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N

References

CVE-2022-24790

HIGH7.5

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

Published: 2022-03-30Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

GHSA-h99w-9q5r-gjq9

CRITICAL9.1

Puma vulnerable to HTTP Request Smuggling

Published: 2022-03-31Modified: 2022-08-16

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References