Ruby/puma/4.3.9
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
https://rubygems.org/gems/puma
BSD-3-Clause
6 Security Vulnerabilities
Puma HTTP Request/Response Smuggling vulnerability
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
- https://nvd.nist.gov/vuln/detail/CVE-2024-21647
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
- https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
- https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
- https://github.com/advisories/GHSA-c2f4-cvqm-65w2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
Puma vulnerable to HTTP Request Smuggling
- https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- https://github.com/advisories/GHSA-h99w-9q5r-gjq9
- https://nvd.nist.gov/vuln/detail/CVE-2022-24790
- https://portswigger.net/web-security/request-smuggling
- https://www.debian.org/security/2022/dsa-5146
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
- Lenient parsing of Transfer-Encoding
headers, when unsupported encodings should be rejected and the final encoding must be chunked
.
- Lenient parsing of malformed Content-Length
headers and chunk sizes, when only digits and hex digits should be allowed.
- Lenient parsing of duplicate Content-Length
headers, when they should be rejected.
- Lenient parsing of the ending of chunked segments, when they should end with \r\n
.
The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have good
behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.
- Nginx (latest)
- Apache (latest)
- Haproxy 2.5+
- Caddy (latest)
- Traefik (latest)
Puma used with Rails may lead to Information Exposure
- https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
- https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
- https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
- https://nvd.nist.gov/vuln/detail/CVE-2022-23634
- https://github.com/advisories/GHSA-wh98-p28r-vrc9
- https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
- https://www.debian.org/security/2022/dsa-5146
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
Impact
Prior to puma
version 5.6.2
, puma
may not always call close
on the response body. Rails, prior to version 7.0.2.2
, depended on the response body being closed in order for its CurrentAttributes
implementation to work correctly.
From Rails:
Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.
Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Workarounds
Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE includes a middleware that can be used instead.
References
- Rails CVE: CVE-2022-23633
For more information
If you have any questions or comments about this advisory: * Open an issue in puma * See our security policy
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Impact
Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.
The following vulnerabilities are addressed by this advisory:
- Incorrect parsing of trailing fields in chunked transfer encoding bodies
- Parsing of blank/zero-length Content-Length headers\r\n
Patches
The vulnerability has been fixed in 6.3.1 and 5.6.7.
Workarounds
No known workarounds.
References
Puma HTTP Request/Response Smuggling vulnerability
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Impact
Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.
The following vulnerabilities are addressed by this advisory:
- Incorrect parsing of trailing fields in chunked transfer encoding bodies
- Parsing of blank/zero-length Content-Length headers\r\n
Patches
The vulnerability has been fixed in 6.3.1 and 5.6.7.
Workarounds
No known workarounds.
References
167 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
5.0.4 | BSD-3-Clause | 12 | 2020-10-27 - 14:18 | over 3 years |
5.0.3 | BSD-3-Clause | 12 | 2020-10-26 - 13:05 | over 3 years |
5.0.2 | BSD-3-Clause | 12 | 2020-09-28 - 15:19 | over 3 years |
5.0.1 | BSD-3-Clause | 12 | 2020-09-28 - 13:48 | over 3 years |
5.0.0 | BSD-3-Clause | 12 | 2020-09-17 - 17:06 | over 3 years |
5.0.0.beta2 | BSD-3-Clause | 8 | 2020-09-05 - 22:28 | over 3 years |
5.0.0.beta1 | BSD-3-Clause | 8 | 2020-05-12 - 01:49 | almost 4 years |
4.3.6 | BSD-3-Clause | 8 | 2020-09-05 - 21:12 | over 3 years |
4.3.5 | BSD-3-Clause | 8 | 2020-05-19 - 22:43 | almost 4 years |
4.3.4 | BSD-3-Clause | 10 | 2020-05-19 - 00:09 | almost 4 years |
4.3.3 | BSD-3-Clause | 12 | 2020-02-28 - 19:23 | about 4 years |
4.3.1 | BSD-3-Clause | 16 | 2019-12-05 - 07:38 | over 4 years |
4.3.0 | BSD-3-Clause | 18 | 2019-11-07 - 21:05 | over 4 years |
4.2.1 | BSD-3-Clause | 22 | 2019-10-07 - 09:44 | over 4 years |
4.2.0 | BSD-3-Clause | 22 | 2019-09-23 - 09:25 | over 4 years |
4.1.1 | BSD-3-Clause | 22 | 2019-09-09 - 12:20 | over 4 years |
4.1.0 | BSD-3-Clause | 22 | 2019-08-08 - 19:55 | over 4 years |
4.0.1 | BSD-3-Clause | 22 | 2019-07-11 - 17:52 | almost 5 years |
4.0.0 | BSD-3-Clause | 22 | 2019-06-25 - 17:46 | almost 5 years |
3.12.6 | BSD-3-Clause | 12 | 2020-05-19 - 22:43 | almost 4 years |
3.12.5 | BSD-3-Clause | 13 | 2020-05-19 - 00:08 | almost 4 years |
3.12.4 | BSD-3-Clause | 14 | 2020-02-28 - 19:49 | about 4 years |
3.12.2 | BSD-3-Clause | 16 | 2019-12-05 - 07:43 | over 4 years |
3.12.1 | BSD-3-Clause | 17 | 2019-03-19 - 18:07 | about 5 years |
3.12.0 | BSD-3-Clause | 17 | 2018-07-13 - 16:10 | almost 6 years |
3.11.4 | BSD-3-Clause | 22 | 2018-04-12 - 19:40 | about 6 years |
3.11.3 | BSD-3-Clause | 22 | 2018-03-06 - 05:42 | about 6 years |
3.11.2 | BSD-3-Clause | 22 | 2018-01-19 - 19:24 | over 6 years |
3.11.1 | BSD-3-Clause | 22 | 2018-01-19 - 04:49 | over 6 years |
3.11.0 | BSD-3-Clause | 22 | 2017-11-20 - 16:29 | over 6 years |
3.10.0 | BSD-3-Clause | 22 | 2017-08-17 - 19:25 | over 6 years |
3.9.1 | BSD-3-Clause | 22 | 2017-06-03 - 14:04 | almost 7 years |
3.9.0 | BSD-3-Clause | 22 | 2017-06-01 - 15:40 | almost 7 years |
3.8.2 | BSD-3-Clause | 22 | 2017-03-14 - 17:57 | about 7 years |
3.8.1 | BSD-3-Clause | 22 | 2017-03-10 - 17:20 | about 7 years |
3.8.0 | BSD-3-Clause | 22 | 2017-03-09 - 22:28 | about 7 years |
3.7.1 | BSD-3-Clause | 22 | 2017-02-20 - 15:19 | about 7 years |
3.7.0 | BSD-3-Clause | 22 | 2017-01-28 - 00:36 | over 7 years |
3.6.2 | BSD-3-Clause | 22 | 2016-11-22 - 23:57 | over 7 years |
3.6.1 | BSD-3-Clause | 22 | 2016-11-21 - 19:08 | over 7 years |
3.6.0 | BSD-3-Clause | 22 | 2016-07-25 - 05:18 | almost 8 years |
3.5.2 | BSD-3-Clause | 22 | 2016-07-20 - 17:59 | almost 8 years |
3.5.1 | BSD-3-Clause | 22 | 2016-07-20 - 17:55 | almost 8 years |
3.5.0 | BSD-3-Clause | 22 | 2016-07-19 - 05:08 | almost 8 years |
3.4.0 | BSD-3-Clause | 22 | 2016-04-07 - 22:07 | about 8 years |
3.3.0 | BSD-3-Clause | 22 | 2016-04-05 - 16:29 | about 8 years |
3.2.0 | BSD-3-Clause | 22 | 2016-03-20 - 21:21 | about 8 years |
3.1.1 | BSD-3-Clause | 22 | 2016-03-18 - 04:33 | about 8 years |
3.1.0 | BSD-3-Clause | 22 | 2016-03-06 - 00:34 | about 8 years |
3.0.2 | BSD-3-Clause | 22 | 2016-02-26 - 18:39 | about 8 years |
3.0.1 | BSD-3-Clause | 22 | 2016-02-26 - 03:44 | about 8 years |
3.0.0 | BSD-3-Clause | 22 | 2016-02-25 - 22:25 | about 8 years |
3.0.0.rc1 | BSD-3-Clause | 22 | 2016-02-20 - 01:27 | about 8 years |
2.16.0 | BSD-3-Clause | 22 | 2016-01-28 - 03:58 | over 8 years |
2.15.3 | BSD-3-Clause | 22 | 2015-11-07 - 17:19 | over 8 years |
2.15.2 | BSD-3-Clause | 22 | 2015-11-06 - 23:35 | over 8 years |
2.15.1 | BSD-3-Clause | 22 | 2015-11-06 - 23:31 | over 8 years |
2.15.0 | BSD-3-Clause | 22 | 2015-11-06 - 19:08 | over 8 years |
2.14.0 | BSD-3-Clause | 22 | 2015-09-18 - 16:57 | over 8 years |
2.13.4 | BSD-3-Clause | 22 | 2015-08-16 - 16:21 | over 8 years |
2.13.3 | BSD-3-Clause | 22 | 2015-08-16 - 02:15 | over 8 years |
2.13.2 | BSD-3-Clause | 22 | 2015-08-15 - 21:52 | over 8 years |
2.13.1 | BSD-3-Clause | 22 | 2015-08-15 - 17:10 | over 8 years |
2.13.0 | BSD-3-Clause | 22 | 2015-08-15 - 01:35 | over 8 years |
2.12.3 | BSD-3-Clause | 22 | 2015-08-04 - 05:19 | almost 9 years |
2.12.2 | BSD-3-Clause | 22 | 2015-07-17 - 18:53 | almost 9 years |
2.12.1 | BSD-3-Clause | 22 | 2015-07-16 - 17:08 | almost 9 years |
2.12.0 | BSD-3-Clause | 22 | 2015-07-14 - 19:03 | almost 9 years |
2.11.3 | BSD-3-Clause | 22 | 2015-05-19 - 04:12 | almost 9 years |
2.11.2 | BSD-3-Clause | 22 | 2015-04-13 - 16:22 | about 9 years |
2.11.1 | BSD-3-Clause | 22 | 2015-02-11 - 23:51 | about 9 years |
2.11.0 | BSD-3-Clause | 22 | 2015-01-20 - 19:01 | over 9 years |
2.10.2 | BSD-3-Clause | 22 | 2014-11-27 - 07:08 | over 9 years |
2.10.1 | BSD-3-Clause | 22 | 2014-11-24 - 19:50 | over 9 years |
2.10.0 | BSD-3-Clause | 22 | 2014-11-24 - 03:58 | over 9 years |
2.9.2 | BSD-3-Clause | 22 | 2014-10-30 - 14:58 | over 9 years |
2.9.1 | BSD-3-Clause | 22 | 2014-09-05 - 18:41 | over 9 years |
2.9.0 | BSD-3-Clause | 22 | 2014-07-13 - 01:03 | almost 10 years |
5.6.4 | BSD-3-Clause | 1 | 2022-03-30 - 16:15 | about 2 years |
5.5.1 | BSD-3-Clause | 8 | 2021-10-12 - 15:11 | over 2 years |
6.1.1 | BSD-3-Clause | 4 | 2023-02-28 - 07:40 | about 1 year |
6.1.0 | BSD-3-Clause | 4 | 2023-02-12 - 04:58 | about 1 year |
5.5.2 | BSD-3-Clause | 8 | 2021-10-12 - 23:08 | over 2 years |
4.3.11 | BSD-3-Clause | 5 | 2022-02-11 - 21:21 | about 2 years |
5.6.1 | BSD-3-Clause | 5 | 2022-01-27 - 00:40 | over 2 years |
5.6.2 | BSD-3-Clause | 3 | 2022-02-11 - 21:17 | about 2 years |
4.3.10 | BSD-3-Clause | 6 | 2021-10-12 - 23:15 | over 2 years |
5.6.0 | BSD-3-Clause | 5 | 2022-01-25 - 21:21 | over 2 years |
5.4.0 | BSD-3-Clause | 10 | 2021-07-29 - 14:31 | almost 3 years |
4.3.9 | BSD-3-Clause | 6 | 2021-10-12 - 15:13 | over 2 years |
5.5.0 | BSD-3-Clause | 10 | 2021-09-19 - 20:09 | over 2 years |
6.2.0 | BSD-3-Clause | 4 | 2023-03-29 - 06:55 | about 1 year |
4.3.8 | BSD-3-Clause | 7 | 2021-05-11 - 14:54 | almost 3 years |
5.3.2 | BSD-3-Clause | 10 | 2021-05-21 - 17:17 | almost 3 years |
5.3.0 | BSD-3-Clause | 12 | 2021-05-07 - 15:01 | about 3 years |
5.3.1 | BSD-3-Clause | 10 | 2021-05-11 - 14:56 | almost 3 years |
6.2.1 | BSD-3-Clause | 4 | 2023-03-31 - 06:53 | about 1 year |
6.0.0 | BSD-3-Clause | 4 | 2022-10-14 - 02:33 | over 1 year |
5.6.5 | BSD-3-Clause | 1 | 2022-08-23 - 06:04 | over 1 year |
5.2.0 | BSD-3-Clause | 12 | 2021-01-27 - 20:43 | over 3 years |