Ruby/puma/5.3.2


Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

https://rubygems.org/gems/puma
BSD-3-Clause

10 Security Vulnerabilities

Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling

Published date: 2021-10-12T17:53:00Z
CVE: CVE-2021-41136
Links:

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as low. Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

  • Nginx
  • Apache (>2.4.25)
  • Haproxy
  • Caddy
  • Traefik

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

For more information

If you have any questions or comments about this advisory:

Affected versions: ["4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "4.3.7", "4.3.8", "5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Puma HTTP Request/Response Smuggling vulnerability

Published date: 2024-01-08T15:56:48Z
CVE: CVE-2024-21647
Links:

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "4.3.7", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "4.3.8", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "4.3.9", "5.5.2", "4.3.10", "5.6.0", "5.6.1", "5.6.2", "4.3.11", "5.6.4", "4.3.12", "5.6.5", "5.6.6", "5.6.7", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.1.1", "6.2.1", "6.2.0", "6.2.2", "6.3.0", "6.3.1", "6.4.0", "6.4.1"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Puma vulnerable to HTTP Request Smuggling

Published date: 2022-03-30T21:48:50Z
CVE: CVE-2022-24790
Links:

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory: - Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked. - Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed. - Lenient parsing of duplicate Content-Length headers, when they should be rejected. - Lenient parsing of the ending of chunked segments, when they should end with \r\n.

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have good behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

Affected versions: ["4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "4.3.7", "4.3.8", "4.3.9", "4.3.10", "4.3.11", "5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "5.5.2", "5.6.0", "5.6.1", "5.6.2"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Puma used with Rails may lead to Information Exposure

Published date: 2022-02-11T21:33:23Z
CVE: CVE-2022-23634
Links:

Impact

Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE includes a middleware that can be used instead.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in puma * See our security policy

Affected versions: ["4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "4.3.7", "4.3.8", "4.3.9", "4.3.10", "5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "5.5.2", "5.6.0", "5.6.1"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Published date: 2021-10-12
CVE: 2021-41136
CVSS V3: 3.7
Links:

Impact

Prior to puma version 5.5.0, using puma with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as low. Puma is only aware of a single proxy server which has this behavior.

If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Patches

This vulnerability was patched in Puma 5.5.1 and 4.3.9.

Workarounds

This vulnerability only affects Puma installations without any proxy in front.

Use a proxy which does not forward LF characters as line endings.

Proxies which do not forward LF characters as line endings:

  • Nginx
  • Apache (>2.4.25)
  • Haproxy
  • Caddy
  • Traefik

Possible Breakage

If you are dealing with legacy clients that want to send LF as a line ending in an HTTP header, this will cause those clients to receive a 400 error.

References

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Information Exposure with Puma when used with Rails

Published date: 2022-02-11
CVE: 2022-23634
CVSS V3: 8.0
Links:

Impact

Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly.

From Rails:

Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.

Patches

This problem is fixed in Puma versions 5.6.2 and 4.3.11.

This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability

Upgrading to a patched Rails or Puma version fixes the vulnerability.

Workarounds

Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

The Rails CVE includes a middleware that can be used instead.

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "5.5.2", "5.6.0", "5.6.1"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

HTTP Request Smuggling in puma

Published date: 2022-03-30
CVE: 2022-24790
CVSS V3: 9.1
Links:

Impact

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory: - Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked. - Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed. - Lenient parsing of duplicate Content-Length headers, when they should be rejected. - Lenient parsing of the ending of chunked segments, when they should end with \r\n.

Patches

The vulnerability has been fixed in 5.6.4 and 4.3.12.

Workarounds

When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have good behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

References

HTTP Request Smuggling

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "5.5.2", "5.6.0", "5.6.1", "5.6.2"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Published date: 2023-08-18
CVE: 2023-40175
CVSS V3: 6.5
Links:

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory: - Incorrect parsing of trailing fields in chunked transfer encoding bodies - Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "4.3.7", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "4.3.8", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "4.3.9", "5.5.2", "4.3.10", "4.3.11", "4.3.12", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.1.1", "6.2.1", "6.2.0", "6.2.2", "6.3.0"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Puma HTTP Request/Response Smuggling vulnerability

Published date: 2024-01-08
CVE: 2024-21647
CVSS V3: 5.9
Links:

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "4.3.7", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "4.3.8", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "4.3.9", "5.5.2", "4.3.10", "4.3.11", "4.3.12", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.1.1", "6.2.1", "6.2.0", "6.2.2", "6.3.0", "6.3.1", "6.4.0", "6.4.1"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma

Published date: 2023-08-18
CVSS V3: 6.5
Links:

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory: - Incorrect parsing of trailing fields in chunked transfer encoding bodies - Parsing of blank/zero-length Content-Length headers\r\n

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "4.3.7", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "4.3.8", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "4.3.9", "5.5.2", "4.3.10", "4.3.11", "4.3.12", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.1.1", "6.2.1", "6.2.0", "6.2.2", "6.3.0"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

167 Other Versions

Version License Security Released
6.4.2 BSD-3-Clause 2024-01-08 - 05:57 3 months
6.4.1 BSD-3-Clause 2 2024-01-03 - 00:05 3 months
6.4.0 BSD-3-Clause 2 2023-09-21 - 04:15 6 months
6.3.1 BSD-3-Clause 2 2023-08-18 - 01:22 7 months
6.3.0 BSD-3-Clause 4 2023-05-31 - 07:16 10 months
6.2.2 BSD-3-Clause 4 2023-04-17 - 22:44 12 months
6.2.1 BSD-3-Clause 4 2023-03-31 - 06:53 12 months
6.2.0 BSD-3-Clause 4 2023-03-29 - 06:55 almost 1 year
6.1.1 BSD-3-Clause 4 2023-02-28 - 07:40 about 1 year
6.1.0 BSD-3-Clause 4 2023-02-12 - 04:58 about 1 year
6.0.2 BSD-3-Clause 4 2023-01-01 - 22:04 about 1 year
6.0.1 BSD-3-Clause 4 2022-12-20 - 20:21 over 1 year
6.0.0 BSD-3-Clause 4 2022-10-14 - 02:33 over 1 year
5.6.8 BSD-3-Clause 2024-01-08 - 06:09 3 months
5.6.7 BSD-3-Clause 1 2023-08-18 - 05:58 7 months
5.6.6 BSD-3-Clause 1 2023-06-21 - 02:59 9 months
5.6.5 BSD-3-Clause 1 2022-08-23 - 06:04 over 1 year
5.6.4 BSD-3-Clause 1 2022-03-30 - 16:15 almost 2 years
5.6.2 BSD-3-Clause 3 2022-02-11 - 21:17 about 2 years
5.6.1 BSD-3-Clause 5 2022-01-27 - 00:40 about 2 years
5.6.0 BSD-3-Clause 5 2022-01-25 - 21:21 about 2 years
5.5.2 BSD-3-Clause 8 2021-10-12 - 23:08 over 2 years
5.5.1 BSD-3-Clause 8 2021-10-12 - 15:11 over 2 years
5.5.0 BSD-3-Clause 10 2021-09-19 - 20:09 over 2 years
5.4.0 BSD-3-Clause 10 2021-07-29 - 14:31 over 2 years
5.3.2 BSD-3-Clause 10 2021-05-21 - 17:17 almost 3 years
5.3.1 BSD-3-Clause 10 2021-05-11 - 14:56 almost 3 years
5.3.0 BSD-3-Clause 12 2021-05-07 - 15:01 almost 3 years
5.2.2 BSD-3-Clause 12 2021-03-02 - 16:08 about 3 years
5.2.1 BSD-3-Clause 12 2021-02-05 - 22:28 about 3 years
5.2.0 BSD-3-Clause 12 2021-01-27 - 20:43 about 3 years
5.1.1 BSD-3-Clause 12 2020-12-10 - 15:28 over 3 years
5.1.0 BSD-3-Clause 12 2020-11-30 - 17:33 over 3 years
5.0.4 BSD-3-Clause 12 2020-10-27 - 14:18 over 3 years
5.0.3 BSD-3-Clause 12 2020-10-26 - 13:05 over 3 years
5.0.2 BSD-3-Clause 12 2020-09-28 - 15:19 over 3 years
5.0.1 BSD-3-Clause 12 2020-09-28 - 13:48 over 3 years
5.0.0 BSD-3-Clause 12 2020-09-17 - 17:06 over 3 years
5.0.0.beta2 BSD-3-Clause 8 2020-09-05 - 22:28 over 3 years
5.0.0.beta1 BSD-3-Clause 8 2020-05-12 - 01:49 almost 4 years
4.3.12 BSD-3-Clause 4 2022-03-30 - 16:14 almost 2 years
4.3.11 BSD-3-Clause 5 2022-02-11 - 21:21 about 2 years
4.3.10 BSD-3-Clause 6 2021-10-12 - 23:15 over 2 years
4.3.9 BSD-3-Clause 6 2021-10-12 - 15:13 over 2 years
4.3.8 BSD-3-Clause 7 2021-05-11 - 14:54 almost 3 years
4.3.7 BSD-3-Clause 8 2020-11-30 - 16:54 over 3 years
4.3.6 BSD-3-Clause 8 2020-09-05 - 21:12 over 3 years
4.3.5 BSD-3-Clause 8 2020-05-19 - 22:43 almost 4 years
4.3.4 BSD-3-Clause 10 2020-05-19 - 00:09 almost 4 years
4.3.3 BSD-3-Clause 12 2020-02-28 - 19:23 about 4 years
4.3.1 BSD-3-Clause 16 2019-12-05 - 07:38 over 4 years
4.3.0 BSD-3-Clause 18 2019-11-07 - 21:05 over 4 years
4.2.1 BSD-3-Clause 22 2019-10-07 - 09:44 over 4 years
4.2.0 BSD-3-Clause 22 2019-09-23 - 09:25 over 4 years
4.1.1 BSD-3-Clause 22 2019-09-09 - 12:20 over 4 years
4.1.0 BSD-3-Clause 22 2019-08-08 - 19:55 over 4 years
4.0.1 BSD-3-Clause 22 2019-07-11 - 17:52 over 4 years
4.0.0 BSD-3-Clause 22 2019-06-25 - 17:46 almost 5 years
3.12.6 BSD-3-Clause 12 2020-05-19 - 22:43 almost 4 years
3.12.5 BSD-3-Clause 13 2020-05-19 - 00:08 almost 4 years
3.12.4 BSD-3-Clause 14 2020-02-28 - 19:49 about 4 years
3.12.2 BSD-3-Clause 16 2019-12-05 - 07:43 over 4 years
3.12.1 BSD-3-Clause 17 2019-03-19 - 18:07 about 5 years
3.12.0 BSD-3-Clause 17 2018-07-13 - 16:10 over 5 years
3.11.4 BSD-3-Clause 22 2018-04-12 - 19:40 almost 6 years
3.11.3 BSD-3-Clause 22 2018-03-06 - 05:42 about 6 years
3.11.2 BSD-3-Clause 22 2018-01-19 - 19:24 about 6 years
3.11.1 BSD-3-Clause 22 2018-01-19 - 04:49 about 6 years
3.11.0 BSD-3-Clause 22 2017-11-20 - 16:29 over 6 years
3.10.0 BSD-3-Clause 22 2017-08-17 - 19:25 over 6 years
3.9.1 BSD-3-Clause 22 2017-06-03 - 14:04 almost 7 years
3.9.0 BSD-3-Clause 22 2017-06-01 - 15:40 almost 7 years
3.8.2 BSD-3-Clause 22 2017-03-14 - 17:57 about 7 years
3.8.1 BSD-3-Clause 22 2017-03-10 - 17:20 about 7 years
3.8.0 BSD-3-Clause 22 2017-03-09 - 22:28 about 7 years
3.7.1 BSD-3-Clause 22 2017-02-20 - 15:19 about 7 years
3.7.0 BSD-3-Clause 22 2017-01-28 - 00:36 about 7 years
3.6.2 BSD-3-Clause 22 2016-11-22 - 23:57 over 7 years
3.6.1 BSD-3-Clause 22 2016-11-21 - 19:08 over 7 years
3.6.0 BSD-3-Clause 22 2016-07-25 - 05:18 over 7 years
3.5.2 BSD-3-Clause 22 2016-07-20 - 17:59 over 7 years
3.5.1 BSD-3-Clause 22 2016-07-20 - 17:55 over 7 years
3.5.0 BSD-3-Clause 22 2016-07-19 - 05:08 over 7 years
3.4.0 BSD-3-Clause 22 2016-04-07 - 22:07 almost 8 years
3.3.0 BSD-3-Clause 22 2016-04-05 - 16:29 almost 8 years
3.2.0 BSD-3-Clause 22 2016-03-20 - 21:21 about 8 years
3.1.1 BSD-3-Clause 22 2016-03-18 - 04:33 about 8 years
3.1.0 BSD-3-Clause 22 2016-03-06 - 00:34 about 8 years
3.0.2 BSD-3-Clause 22 2016-02-26 - 18:39 about 8 years
3.0.1 BSD-3-Clause 22 2016-02-26 - 03:44 about 8 years
3.0.0 BSD-3-Clause 22 2016-02-25 - 22:25 about 8 years
3.0.0.rc1 BSD-3-Clause 22 2016-02-20 - 01:27 about 8 years
2.16.0 BSD-3-Clause 22 2016-01-28 - 03:58 about 8 years
2.15.3 BSD-3-Clause 22 2015-11-07 - 17:19 over 8 years
2.15.2 BSD-3-Clause 22 2015-11-06 - 23:35 over 8 years
2.15.1 BSD-3-Clause 22 2015-11-06 - 23:31 over 8 years
2.15.0 BSD-3-Clause 22 2015-11-06 - 19:08 over 8 years
2.14.0 BSD-3-Clause 22 2015-09-18 - 16:57 over 8 years
2.13.4 BSD-3-Clause 22 2015-08-16 - 16:21 over 8 years
2.13.3 BSD-3-Clause 22 2015-08-16 - 02:15 over 8 years