Ruby/puma/5.6.2


Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

https://rubygems.org/gems/puma
BSD-3-Clause

3 Security Vulnerabilities

Puma HTTP Request/Response Smuggling vulnerability

Published date: 2024-01-08T15:56:48Z
CVE: CVE-2024-21647
Links:

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "4.3.7", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "4.3.8", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "4.3.9", "5.5.2", "4.3.10", "5.6.0", "5.6.1", "5.6.2", "4.3.11", "5.6.4", "4.3.12", "5.6.5", "5.6.6", "5.6.7", "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.1.1", "6.2.1", "6.2.0", "6.2.2", "6.3.0", "6.3.1", "6.4.0", "6.4.1"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

Puma vulnerable to HTTP Request Smuggling

Published date: 2022-03-30T21:48:50Z
CVE: CVE-2022-24790
Links:

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory: - Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked. - Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed. - Lenient parsing of duplicate Content-Length headers, when they should be rejected. - Lenient parsing of the ending of chunked segments, when they should end with \r\n.

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have good behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

Affected versions: ["4.3.6", "4.3.5", "4.3.4", "4.3.3", "4.3.1", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "4.3.7", "4.3.8", "4.3.9", "4.3.10", "4.3.11", "5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "5.5.2", "5.6.0", "5.6.1", "5.6.2"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

HTTP Request Smuggling in puma

Published date: 2022-03-30
CVE: 2022-24790
CVSS V3: 9.1
Links:

Impact

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory: - Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked. - Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed. - Lenient parsing of duplicate Content-Length headers, when they should be rejected. - Lenient parsing of the ending of chunked segments, when they should end with \r\n.

Patches

The vulnerability has been fixed in 5.6.4 and 4.3.12.

Workarounds

When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have good behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)

References

HTTP Request Smuggling

Affected versions: ["5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.beta2", "5.0.0.beta1", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.1", "4.0.0", "3.12.6", "3.12.5", "3.12.4", "3.12.2", "3.12.1", "3.12.0", "3.11.4", "3.11.3", "3.11.2", "3.11.1", "3.11.0", "3.10.0", "3.9.1", "3.9.0", "3.8.2", "3.8.1", "3.8.0", "3.7.1", "3.7.0", "3.6.2", "3.6.1", "3.6.0", "3.5.2", "3.5.1", "3.5.0", "3.4.0", "3.3.0", "3.2.0", "3.1.1", "3.1.0", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc1", "2.16.0", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.0", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.3", "2.12.2", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.2", "2.10.1", "2.10.0", "2.9.2", "2.9.1", "2.9.0", "2.8.2", "2.8.1", "2.8.0", "2.7.1", "2.7.0", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.2", "2.3.1", "2.3.0", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.b7", "2.0.0.b6", "2.0.0.b5", "2.0.0.b4", "2.0.0.b3", "2.0.0.b2", "2.0.0.b1", "1.6.3", "1.6.2", "1.6.1", "1.6.0", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.0", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "5.1.0", "5.1.1", "5.2.0", "5.2.1", "5.2.2", "5.3.0", "5.3.1", "5.3.2", "5.4.0", "5.5.0", "5.5.1", "5.5.2", "5.6.0", "5.6.1", "5.6.2"]
Secure versions: [6.4.2, 5.6.8]
Recommendation: Update to version 6.4.2.

167 Other Versions

Version License Security Released
6.4.2 BSD-3-Clause 2024-01-08 - 05:57 3 months
6.4.1 BSD-3-Clause 2 2024-01-03 - 00:05 3 months
6.4.0 BSD-3-Clause 2 2023-09-21 - 04:15 6 months
6.3.1 BSD-3-Clause 2 2023-08-18 - 01:22 7 months
6.3.0 BSD-3-Clause 4 2023-05-31 - 07:16 10 months
6.2.2 BSD-3-Clause 4 2023-04-17 - 22:44 12 months
6.2.1 BSD-3-Clause 4 2023-03-31 - 06:53 12 months
6.2.0 BSD-3-Clause 4 2023-03-29 - 06:55 almost 1 year
6.1.1 BSD-3-Clause 4 2023-02-28 - 07:40 about 1 year
6.1.0 BSD-3-Clause 4 2023-02-12 - 04:58 about 1 year
6.0.2 BSD-3-Clause 4 2023-01-01 - 22:04 about 1 year
6.0.1 BSD-3-Clause 4 2022-12-20 - 20:21 over 1 year
6.0.0 BSD-3-Clause 4 2022-10-14 - 02:33 over 1 year
5.6.8 BSD-3-Clause 2024-01-08 - 06:09 3 months
5.6.7 BSD-3-Clause 1 2023-08-18 - 05:58 7 months
5.6.6 BSD-3-Clause 1 2023-06-21 - 02:59 9 months
5.6.5 BSD-3-Clause 1 2022-08-23 - 06:04 over 1 year
5.6.4 BSD-3-Clause 1 2022-03-30 - 16:15 almost 2 years
5.6.2 BSD-3-Clause 3 2022-02-11 - 21:17 about 2 years
5.6.1 BSD-3-Clause 5 2022-01-27 - 00:40 about 2 years
5.6.0 BSD-3-Clause 5 2022-01-25 - 21:21 about 2 years
5.5.2 BSD-3-Clause 8 2021-10-12 - 23:08 over 2 years
5.5.1 BSD-3-Clause 8 2021-10-12 - 15:11 over 2 years
5.5.0 BSD-3-Clause 10 2021-09-19 - 20:09 over 2 years
5.4.0 BSD-3-Clause 10 2021-07-29 - 14:31 over 2 years
5.3.2 BSD-3-Clause 10 2021-05-21 - 17:17 almost 3 years
5.3.1 BSD-3-Clause 10 2021-05-11 - 14:56 almost 3 years
5.3.0 BSD-3-Clause 12 2021-05-07 - 15:01 almost 3 years
5.2.2 BSD-3-Clause 12 2021-03-02 - 16:08 about 3 years
5.2.1 BSD-3-Clause 12 2021-02-05 - 22:28 about 3 years
5.2.0 BSD-3-Clause 12 2021-01-27 - 20:43 about 3 years
5.1.1 BSD-3-Clause 12 2020-12-10 - 15:28 over 3 years
5.1.0 BSD-3-Clause 12 2020-11-30 - 17:33 over 3 years
5.0.4 BSD-3-Clause 12 2020-10-27 - 14:18 over 3 years
5.0.3 BSD-3-Clause 12 2020-10-26 - 13:05 over 3 years
5.0.2 BSD-3-Clause 12 2020-09-28 - 15:19 over 3 years
5.0.1 BSD-3-Clause 12 2020-09-28 - 13:48 over 3 years
5.0.0 BSD-3-Clause 12 2020-09-17 - 17:06 over 3 years
5.0.0.beta2 BSD-3-Clause 8 2020-09-05 - 22:28 over 3 years
5.0.0.beta1 BSD-3-Clause 8 2020-05-12 - 01:49 almost 4 years
4.3.12 BSD-3-Clause 4 2022-03-30 - 16:14 almost 2 years
4.3.11 BSD-3-Clause 5 2022-02-11 - 21:21 about 2 years
4.3.10 BSD-3-Clause 6 2021-10-12 - 23:15 over 2 years
4.3.9 BSD-3-Clause 6 2021-10-12 - 15:13 over 2 years
4.3.8 BSD-3-Clause 7 2021-05-11 - 14:54 almost 3 years
4.3.7 BSD-3-Clause 8 2020-11-30 - 16:54 over 3 years
4.3.6 BSD-3-Clause 8 2020-09-05 - 21:12 over 3 years
4.3.5 BSD-3-Clause 8 2020-05-19 - 22:43 almost 4 years
4.3.4 BSD-3-Clause 10 2020-05-19 - 00:09 almost 4 years
4.3.3 BSD-3-Clause 12 2020-02-28 - 19:23 about 4 years
4.3.1 BSD-3-Clause 16 2019-12-05 - 07:38 over 4 years
4.3.0 BSD-3-Clause 18 2019-11-07 - 21:05 over 4 years
4.2.1 BSD-3-Clause 22 2019-10-07 - 09:44 over 4 years
4.2.0 BSD-3-Clause 22 2019-09-23 - 09:25 over 4 years
4.1.1 BSD-3-Clause 22 2019-09-09 - 12:20 over 4 years
4.1.0 BSD-3-Clause 22 2019-08-08 - 19:55 over 4 years
4.0.1 BSD-3-Clause 22 2019-07-11 - 17:52 over 4 years
4.0.0 BSD-3-Clause 22 2019-06-25 - 17:46 almost 5 years
3.12.6 BSD-3-Clause 12 2020-05-19 - 22:43 almost 4 years
3.12.5 BSD-3-Clause 13 2020-05-19 - 00:08 almost 4 years
3.12.4 BSD-3-Clause 14 2020-02-28 - 19:49 about 4 years
3.12.2 BSD-3-Clause 16 2019-12-05 - 07:43 over 4 years
3.12.1 BSD-3-Clause 17 2019-03-19 - 18:07 about 5 years
3.12.0 BSD-3-Clause 17 2018-07-13 - 16:10 over 5 years
3.11.4 BSD-3-Clause 22 2018-04-12 - 19:40 almost 6 years
3.11.3 BSD-3-Clause 22 2018-03-06 - 05:42 about 6 years
3.11.2 BSD-3-Clause 22 2018-01-19 - 19:24 about 6 years
3.11.1 BSD-3-Clause 22 2018-01-19 - 04:49 about 6 years
3.11.0 BSD-3-Clause 22 2017-11-20 - 16:29 over 6 years
3.10.0 BSD-3-Clause 22 2017-08-17 - 19:25 over 6 years
3.9.1 BSD-3-Clause 22 2017-06-03 - 14:04 almost 7 years
3.9.0 BSD-3-Clause 22 2017-06-01 - 15:40 almost 7 years
3.8.2 BSD-3-Clause 22 2017-03-14 - 17:57 about 7 years
3.8.1 BSD-3-Clause 22 2017-03-10 - 17:20 about 7 years
3.8.0 BSD-3-Clause 22 2017-03-09 - 22:28 about 7 years
3.7.1 BSD-3-Clause 22 2017-02-20 - 15:19 about 7 years
3.7.0 BSD-3-Clause 22 2017-01-28 - 00:36 about 7 years
3.6.2 BSD-3-Clause 22 2016-11-22 - 23:57 over 7 years
3.6.1 BSD-3-Clause 22 2016-11-21 - 19:08 over 7 years
3.6.0 BSD-3-Clause 22 2016-07-25 - 05:18 over 7 years
3.5.2 BSD-3-Clause 22 2016-07-20 - 17:59 over 7 years
3.5.1 BSD-3-Clause 22 2016-07-20 - 17:55 over 7 years
3.5.0 BSD-3-Clause 22 2016-07-19 - 05:08 over 7 years
3.4.0 BSD-3-Clause 22 2016-04-07 - 22:07 almost 8 years
3.3.0 BSD-3-Clause 22 2016-04-05 - 16:29 almost 8 years
3.2.0 BSD-3-Clause 22 2016-03-20 - 21:21 about 8 years
3.1.1 BSD-3-Clause 22 2016-03-18 - 04:33 about 8 years
3.1.0 BSD-3-Clause 22 2016-03-06 - 00:34 about 8 years
3.0.2 BSD-3-Clause 22 2016-02-26 - 18:39 about 8 years
3.0.1 BSD-3-Clause 22 2016-02-26 - 03:44 about 8 years
3.0.0 BSD-3-Clause 22 2016-02-25 - 22:25 about 8 years
3.0.0.rc1 BSD-3-Clause 22 2016-02-20 - 01:27 about 8 years
2.16.0 BSD-3-Clause 22 2016-01-28 - 03:58 about 8 years
2.15.3 BSD-3-Clause 22 2015-11-07 - 17:19 over 8 years
2.15.2 BSD-3-Clause 22 2015-11-06 - 23:35 over 8 years
2.15.1 BSD-3-Clause 22 2015-11-06 - 23:31 over 8 years
2.15.0 BSD-3-Clause 22 2015-11-06 - 19:08 over 8 years
2.14.0 BSD-3-Clause 22 2015-09-18 - 16:57 over 8 years
2.13.4 BSD-3-Clause 22 2015-08-16 - 16:21 over 8 years
2.13.3 BSD-3-Clause 22 2015-08-16 - 02:15 over 8 years