Vulnerable Library - puma-6.4.0.gem
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
Library home page: https://rubygems.org/gems/puma-6.4.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.4.0.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
| CVE |
Severity |
CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (puma version) |
Remediation Possible** |
Reachability |
| CVE-2024-21647 |
High |
7.5 |
Not Defined |
0.0% |
puma-6.4.0.gem |
Direct |
puma - 5.6.8,6.4.2 |
✅ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-21647
Vulnerable Library - puma-6.4.0.gem
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
Library home page: https://rubygems.org/gems/puma-6.4.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.4.0.gem
Dependency Hierarchy:
- ❌ puma-6.4.0.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.
Publish Date: 2024-01-08
URL: CVE-2024-21647
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21647
Release Date: 2024-01-08
Fix Resolution: puma - 5.6.8,6.4.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
Library home page: https://rubygems.org/gems/puma-6.4.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.4.0.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - puma-6.4.0.gem
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
Library home page: https://rubygems.org/gems/puma-6.4.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.4.0.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.
Publish Date: 2024-01-08
URL: CVE-2024-21647
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21647
Release Date: 2024-01-08
Fix Resolution: puma - 5.6.8,6.4.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules