Ruby/puma/5.6.5
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
https://rubygems.org/gems/puma
BSD-3-Clause
1 Security Vulnerabilities
Puma HTTP Request/Response Smuggling vulnerability
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
- https://nvd.nist.gov/vuln/detail/CVE-2024-21647
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
- https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
- https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
- https://github.com/advisories/GHSA-c2f4-cvqm-65w2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
167 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
5.0.4 | BSD-3-Clause | 12 | 2020-10-27 - 14:18 | over 3 years |
5.0.3 | BSD-3-Clause | 12 | 2020-10-26 - 13:05 | over 3 years |
5.0.2 | BSD-3-Clause | 12 | 2020-09-28 - 15:19 | over 3 years |
5.0.1 | BSD-3-Clause | 12 | 2020-09-28 - 13:48 | over 3 years |
5.0.0 | BSD-3-Clause | 12 | 2020-09-17 - 17:06 | over 3 years |
5.0.0.beta2 | BSD-3-Clause | 8 | 2020-09-05 - 22:28 | over 3 years |
5.0.0.beta1 | BSD-3-Clause | 8 | 2020-05-12 - 01:49 | almost 4 years |
4.3.6 | BSD-3-Clause | 8 | 2020-09-05 - 21:12 | over 3 years |
4.3.5 | BSD-3-Clause | 8 | 2020-05-19 - 22:43 | almost 4 years |
4.3.4 | BSD-3-Clause | 10 | 2020-05-19 - 00:09 | almost 4 years |
4.3.3 | BSD-3-Clause | 12 | 2020-02-28 - 19:23 | about 4 years |
4.3.1 | BSD-3-Clause | 16 | 2019-12-05 - 07:38 | over 4 years |
4.3.0 | BSD-3-Clause | 18 | 2019-11-07 - 21:05 | over 4 years |
4.2.1 | BSD-3-Clause | 22 | 2019-10-07 - 09:44 | over 4 years |
4.2.0 | BSD-3-Clause | 22 | 2019-09-23 - 09:25 | over 4 years |
4.1.1 | BSD-3-Clause | 22 | 2019-09-09 - 12:20 | over 4 years |
4.1.0 | BSD-3-Clause | 22 | 2019-08-08 - 19:55 | almost 5 years |
4.0.1 | BSD-3-Clause | 22 | 2019-07-11 - 17:52 | almost 5 years |
4.0.0 | BSD-3-Clause | 22 | 2019-06-25 - 17:46 | almost 5 years |
3.12.6 | BSD-3-Clause | 12 | 2020-05-19 - 22:43 | almost 4 years |
3.12.5 | BSD-3-Clause | 13 | 2020-05-19 - 00:08 | almost 4 years |
3.12.4 | BSD-3-Clause | 14 | 2020-02-28 - 19:49 | about 4 years |
3.12.2 | BSD-3-Clause | 16 | 2019-12-05 - 07:43 | over 4 years |
3.12.1 | BSD-3-Clause | 17 | 2019-03-19 - 18:07 | about 5 years |
3.12.0 | BSD-3-Clause | 17 | 2018-07-13 - 16:10 | almost 6 years |
3.11.4 | BSD-3-Clause | 22 | 2018-04-12 - 19:40 | about 6 years |
3.11.3 | BSD-3-Clause | 22 | 2018-03-06 - 05:42 | about 6 years |
3.11.2 | BSD-3-Clause | 22 | 2018-01-19 - 19:24 | over 6 years |
3.11.1 | BSD-3-Clause | 22 | 2018-01-19 - 04:49 | over 6 years |
3.11.0 | BSD-3-Clause | 22 | 2017-11-20 - 16:29 | over 6 years |
3.10.0 | BSD-3-Clause | 22 | 2017-08-17 - 19:25 | over 6 years |
3.9.1 | BSD-3-Clause | 22 | 2017-06-03 - 14:04 | almost 7 years |
3.9.0 | BSD-3-Clause | 22 | 2017-06-01 - 15:40 | almost 7 years |
3.8.2 | BSD-3-Clause | 22 | 2017-03-14 - 17:57 | about 7 years |
3.8.1 | BSD-3-Clause | 22 | 2017-03-10 - 17:20 | about 7 years |
3.8.0 | BSD-3-Clause | 22 | 2017-03-09 - 22:28 | about 7 years |
3.7.1 | BSD-3-Clause | 22 | 2017-02-20 - 15:19 | about 7 years |
3.7.0 | BSD-3-Clause | 22 | 2017-01-28 - 00:36 | over 7 years |
3.6.2 | BSD-3-Clause | 22 | 2016-11-22 - 23:57 | over 7 years |
3.6.1 | BSD-3-Clause | 22 | 2016-11-21 - 19:08 | over 7 years |
3.6.0 | BSD-3-Clause | 22 | 2016-07-25 - 05:18 | almost 8 years |
3.5.2 | BSD-3-Clause | 22 | 2016-07-20 - 17:59 | almost 8 years |
3.5.1 | BSD-3-Clause | 22 | 2016-07-20 - 17:55 | almost 8 years |
3.5.0 | BSD-3-Clause | 22 | 2016-07-19 - 05:08 | almost 8 years |
3.4.0 | BSD-3-Clause | 22 | 2016-04-07 - 22:07 | about 8 years |
3.3.0 | BSD-3-Clause | 22 | 2016-04-05 - 16:29 | about 8 years |
3.2.0 | BSD-3-Clause | 22 | 2016-03-20 - 21:21 | about 8 years |
3.1.1 | BSD-3-Clause | 22 | 2016-03-18 - 04:33 | about 8 years |
3.1.0 | BSD-3-Clause | 22 | 2016-03-06 - 00:34 | about 8 years |
3.0.2 | BSD-3-Clause | 22 | 2016-02-26 - 18:39 | about 8 years |
3.0.1 | BSD-3-Clause | 22 | 2016-02-26 - 03:44 | about 8 years |
3.0.0 | BSD-3-Clause | 22 | 2016-02-25 - 22:25 | about 8 years |
3.0.0.rc1 | BSD-3-Clause | 22 | 2016-02-20 - 01:27 | about 8 years |
2.16.0 | BSD-3-Clause | 22 | 2016-01-28 - 03:58 | over 8 years |
2.15.3 | BSD-3-Clause | 22 | 2015-11-07 - 17:19 | over 8 years |
2.15.2 | BSD-3-Clause | 22 | 2015-11-06 - 23:35 | over 8 years |
2.15.1 | BSD-3-Clause | 22 | 2015-11-06 - 23:31 | over 8 years |
2.15.0 | BSD-3-Clause | 22 | 2015-11-06 - 19:08 | over 8 years |
2.14.0 | BSD-3-Clause | 22 | 2015-09-18 - 16:57 | over 8 years |
2.13.4 | BSD-3-Clause | 22 | 2015-08-16 - 16:21 | over 8 years |
2.13.3 | BSD-3-Clause | 22 | 2015-08-16 - 02:15 | over 8 years |
2.13.2 | BSD-3-Clause | 22 | 2015-08-15 - 21:52 | over 8 years |
2.13.1 | BSD-3-Clause | 22 | 2015-08-15 - 17:10 | over 8 years |
2.13.0 | BSD-3-Clause | 22 | 2015-08-15 - 01:35 | over 8 years |
2.12.3 | BSD-3-Clause | 22 | 2015-08-04 - 05:19 | almost 9 years |
2.12.2 | BSD-3-Clause | 22 | 2015-07-17 - 18:53 | almost 9 years |
2.12.1 | BSD-3-Clause | 22 | 2015-07-16 - 17:08 | almost 9 years |
2.12.0 | BSD-3-Clause | 22 | 2015-07-14 - 19:03 | almost 9 years |
2.11.3 | BSD-3-Clause | 22 | 2015-05-19 - 04:12 | almost 9 years |
2.11.2 | BSD-3-Clause | 22 | 2015-04-13 - 16:22 | about 9 years |
2.11.1 | BSD-3-Clause | 22 | 2015-02-11 - 23:51 | about 9 years |
2.11.0 | BSD-3-Clause | 22 | 2015-01-20 - 19:01 | over 9 years |
2.10.2 | BSD-3-Clause | 22 | 2014-11-27 - 07:08 | over 9 years |
2.10.1 | BSD-3-Clause | 22 | 2014-11-24 - 19:50 | over 9 years |
2.10.0 | BSD-3-Clause | 22 | 2014-11-24 - 03:58 | over 9 years |
2.9.2 | BSD-3-Clause | 22 | 2014-10-30 - 14:58 | over 9 years |
2.9.1 | BSD-3-Clause | 22 | 2014-09-05 - 18:41 | over 9 years |
2.9.0 | BSD-3-Clause | 22 | 2014-07-13 - 01:03 | almost 10 years |
5.6.4 | BSD-3-Clause | 1 | 2022-03-30 - 16:15 | about 2 years |
5.5.1 | BSD-3-Clause | 8 | 2021-10-12 - 15:11 | over 2 years |
6.1.1 | BSD-3-Clause | 4 | 2023-02-28 - 07:40 | about 1 year |
6.1.0 | BSD-3-Clause | 4 | 2023-02-12 - 04:58 | about 1 year |
5.5.2 | BSD-3-Clause | 8 | 2021-10-12 - 23:08 | over 2 years |
4.3.11 | BSD-3-Clause | 5 | 2022-02-11 - 21:21 | about 2 years |
5.6.1 | BSD-3-Clause | 5 | 2022-01-27 - 00:40 | over 2 years |
5.6.2 | BSD-3-Clause | 3 | 2022-02-11 - 21:17 | about 2 years |
4.3.10 | BSD-3-Clause | 6 | 2021-10-12 - 23:15 | over 2 years |
5.6.0 | BSD-3-Clause | 5 | 2022-01-25 - 21:21 | over 2 years |
5.4.0 | BSD-3-Clause | 10 | 2021-07-29 - 14:31 | almost 3 years |
4.3.9 | BSD-3-Clause | 6 | 2021-10-12 - 15:13 | over 2 years |
5.5.0 | BSD-3-Clause | 10 | 2021-09-19 - 20:09 | over 2 years |
6.2.0 | BSD-3-Clause | 4 | 2023-03-29 - 06:55 | about 1 year |
4.3.8 | BSD-3-Clause | 7 | 2021-05-11 - 14:54 | almost 3 years |
5.3.2 | BSD-3-Clause | 10 | 2021-05-21 - 17:17 | almost 3 years |
5.3.0 | BSD-3-Clause | 12 | 2021-05-07 - 15:01 | about 3 years |
5.3.1 | BSD-3-Clause | 10 | 2021-05-11 - 14:56 | almost 3 years |
6.2.1 | BSD-3-Clause | 4 | 2023-03-31 - 06:53 | about 1 year |
6.0.0 | BSD-3-Clause | 4 | 2022-10-14 - 02:33 | over 1 year |
5.6.5 | BSD-3-Clause | 1 | 2022-08-23 - 06:04 | over 1 year |
5.2.0 | BSD-3-Clause | 12 | 2021-01-27 - 20:43 | over 3 years |