Skip to content

puma-6.4.0.gem: 1 vulnerabilities (highest severity is: 7.5) #9

Description

@mend-for-github-com
Vulnerable Library - puma-6.4.0.gem

Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-6.4.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.4.0.gem

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (puma version) Remediation Possible** Reachability
CVE-2024-21647 High 7.5 Not Defined 0.0% puma-6.4.0.gem Direct puma - 5.6.8,6.4.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-21647

Vulnerable Library - puma-6.4.0.gem

Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-6.4.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.4.0.gem

Dependency Hierarchy:

  • puma-6.4.0.gem (Vulnerable Library)

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Found in base branch: main

Vulnerability Details

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

Publish Date: 2024-01-08

URL: CVE-2024-21647

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21647

Release Date: 2024-01-08

Fix Resolution: puma - 5.6.8,6.4.2

In order to enable automatic remediation, please create workflow rules


In order to enable automatic remediation for this issue, please create workflow rules

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions