Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/135117?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/135117?format=api", "purl": "pkg:gem/puma@1.6.1", "type": "gem", "namespace": "", "name": "puma", "version": "1.6.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.6.9", "latest_non_vulnerable_version": "6.4.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11382?format=api", "vulnerability_id": "VCID-5zm7-c7nu-quad", "summary": "Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling\nPrior to `puma` version 5.5.0, using `puma` with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.\n\nThis behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as \"low\". Puma is only aware of a single proxy server which has this behavior.\n\nIf the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41136.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41136.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.5226", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52256", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52218", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52233", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52249", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52197", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52201", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52148", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52113", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52183", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52156", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18" }, { "reference_url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f" }, { "reference_url": "https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v4.3.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v4.3.9" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v5.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v5.5.1" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5146", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5146" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013495", "reference_id": "2013495", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013495" }, { "reference_url": "https://security.archlinux.org/AVG-2764", "reference_id": "AVG-2764", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2764" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136", "reference_id": "CVE-2021-41136", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml", "reference_id": "CVE-2021-41136.YML", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml" }, { "reference_url": "https://github.com/advisories/GHSA-48w2-rm65-62xx", "reference_id": "GHSA-48w2-rm65-62xx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48w2-rm65-62xx" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx", "reference_id": "GHSA-48w2-rm65-62xx", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5498", "reference_id": "RHSA-2022:5498", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5498" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40870?format=api", "purl": "pkg:gem/puma@4.3.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/135211?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/40869?format=api", "purl": "pkg:gem/puma@5.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.5.1" } ], "aliases": [ "CVE-2021-41136", "GHSA-48w2-rm65-62xx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5zm7-c7nu-quad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33438?format=api", "vulnerability_id": "VCID-ap87-c4dc-zfcy", "summary": "HTTP Response Splitting (Early Hints) in Puma\n### Impact\nIf an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).\n\nWhile not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), which fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [puma](https://github.com/puma/puma)\n* Email us a project maintainer. [Email addresses are listed in our Code of Conduct](https://github.com/puma/puma/blob/master/CODE_OF_CONDUCT.md#enforcement).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5249", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.6591", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65896", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65861", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65891", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65903", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65885", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65825", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65775", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65873", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65821", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.65855", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5249" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5249", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5249" }, { "reference_url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816181", "reference_id": "1816181", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816181" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122", "reference_id": "953122", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122" }, { "reference_url": "https://github.com/advisories/GHSA-33vf-4xgg-9r58", "reference_id": "GHSA-33vf-4xgg-9r58", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-33vf-4xgg-9r58" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73127?format=api", "purl": "pkg:gem/puma@3.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-bk4b-h5hu-2qeq" }, { "vulnerability": "VCID-euqw-bed6-z7d6" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" }, { "vulnerability": "VCID-q37p-vzmm-aken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/73128?format=api", "purl": "pkg:gem/puma@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-bk4b-h5hu-2qeq" }, { "vulnerability": "VCID-euqw-bed6-z7d6" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" }, { "vulnerability": "VCID-q37p-vzmm-aken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3" } ], "aliases": [ "CVE-2020-5249", "GHSA-33vf-4xgg-9r58" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ap87-c4dc-zfcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18758?format=api", "vulnerability_id": "VCID-fhu7-fyha-9khj", "summary": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')\nPuma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40175.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40175.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59354", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59279", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59302", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59266", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59317", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.5933", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59349", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59332", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59315", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59348", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40175" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40175", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40175" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-07T20:03:28Z/" } ], "url": "https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a" }, { "reference_url": "https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662" }, { "reference_url": "https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v5.6.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v5.6.7" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v6.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v6.3.1" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079", "reference_id": "1050079", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232729", "reference_id": "2232729", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232729" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40175", "reference_id": "CVE-2023-40175", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40175" }, { "reference_url": "https://github.com/advisories/GHSA-68xg-gqqm-vgj8", "reference_id": "GHSA-68xg-gqqm-vgj8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68xg-gqqm-vgj8" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8", "reference_id": "GHSA-68xg-gqqm-vgj8", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-07T20:03:28Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0797", "reference_id": "RHSA-2024:0797", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0797" }, { "reference_url": "https://usn.ubuntu.com/6399-1/", "reference_id": "USN-6399-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6399-1/" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59521?format=api", "purl": "pkg:gem/puma@5.6.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/59522?format=api", "purl": "pkg:gem/puma@6.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.3.1" } ], "aliases": [ "CVE-2023-40175", "GHSA-68xg-gqqm-vgj8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fhu7-fyha-9khj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13567?format=api", "vulnerability_id": "VCID-gkf9-7a9x-nkh4", "summary": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')\nPuma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24790.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24790.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61821", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61816", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61774", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61794", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.6177", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61751", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61721", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61806", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.61786", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24790" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/" }, { "reference_url": "https://portswigger.net/web-security/request-smuggling", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://portswigger.net/web-security/request-smuggling" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5146", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5146" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723", "reference_id": "1008723", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071616", "reference_id": "2071616", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071616" }, { "reference_url": "https://security.archlinux.org/AVG-2764", "reference_id": "AVG-2764", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2764" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24790", "reference_id": "CVE-2022-24790", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24790" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/", "reference_id": "F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/" }, { "reference_url": "https://github.com/advisories/GHSA-h99w-9q5r-gjq9", "reference_id": "GHSA-h99w-9q5r-gjq9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h99w-9q5r-gjq9" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9", "reference_id": "GHSA-h99w-9q5r-gjq9", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/", "reference_id": "L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8532", "reference_id": "RHSA-2022:8532", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8532" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1486", "reference_id": "RHSA-2023:1486", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1486" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/", "reference_id": "TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48380?format=api", "purl": "pkg:gem/puma@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/135211?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/48381?format=api", "purl": "pkg:gem/puma@5.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.4" } ], "aliases": [ "CVE-2022-24790", "GHSA-h99w-9q5r-gjq9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gkf9-7a9x-nkh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12862?format=api", "vulnerability_id": "VCID-jwun-grgg-2uet", "summary": "Exposure of information in Action Pack\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.5868", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58685", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58648", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58667", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58687", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58669", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58662", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.5861", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58643", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58623", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23633" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63277", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63198", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63269", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63284", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63233", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63267", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.6327", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.6325", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00453", "scoring_system": "epss", "scoring_elements": "0.63763", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00453", "scoring_system": "epss", "scoring_elements": "0.63789", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796" }, { "reference_url": "https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb" }, { "reference_url": "https://github.com/rails/rails", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rails/rails" }, { "reference_url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/" }, { "reference_url": "https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240119-0013", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240119-0013" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240119-0013/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20240119-0013/" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5146", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5146" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5372", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2023/dsa-5372" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/02/11/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389", "reference_id": "1005389", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391", "reference_id": "1005391", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054211", "reference_id": "2054211", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054211" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063149", "reference_id": "2063149", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063149" }, { "reference_url": "https://security.archlinux.org/AVG-2764", "reference_id": "AVG-2764", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2764" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633", "reference_id": "CVE-2022-23633", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634", "reference_id": "CVE-2022-23634", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634" }, { "reference_url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h", "reference_id": "GHSA-rmj8-8hhh-gv5h", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h", "reference_id": "GHSA-rmj8-8hhh-gv5h", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h" }, { "reference_url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9", "reference_id": "GHSA-wh98-p28r-vrc9", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9" }, { "reference_url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9", "reference_id": "GHSA-wh98-p28r-vrc9", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5498", "reference_id": "RHSA-2022:5498", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5498" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46079?format=api", "purl": "pkg:gem/puma@4.3.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/135211?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/46080?format=api", "purl": "pkg:gem/puma@5.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.2" } ], "aliases": [ "CVE-2022-23633", "CVE-2022-23634", "GHSA-rmj8-8hhh-gv5h", "GHSA-wh98-p28r-vrc9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jwun-grgg-2uet" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14090?format=api", "vulnerability_id": "VCID-nxhw-rdtz-zyar", "summary": "Puma HTTP Request/Response Smuggling vulnerability\n### Impact\nPrior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.\n\nFixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.\n\n### Patches\n\nThe vulnerability has been fixed in 6.4.2 and 5.6.8.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n* Open an issue in [Puma](https://github.com/puma/puma)\n* See our [security policy](https://github.com/puma/puma/security/policy)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21647.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21647.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21647", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85263", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85183", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85201", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85203", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85225", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85233", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85247", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85245", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85241", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85261", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21647" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21647", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21647" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:45Z/" } ], "url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93" }, { "reference_url": "https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7" }, { "reference_url": "https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:45Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21647", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21647" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345", "reference_id": "1060345", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257340", "reference_id": "2257340", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257340" }, { "reference_url": "https://github.com/advisories/GHSA-c2f4-cvqm-65w2", "reference_id": "GHSA-c2f4-cvqm-65w2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c2f4-cvqm-65w2" }, { "reference_url": "https://usn.ubuntu.com/6597-1/", "reference_id": "USN-6597-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6597-1/" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50207?format=api", "purl": "pkg:gem/puma@5.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/50205?format=api", "purl": "pkg:gem/puma@6.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.4.2" } ], "aliases": [ "CVE-2024-21647", "GHSA-c2f4-cvqm-65w2" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nxhw-rdtz-zyar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33339?format=api", "vulnerability_id": "VCID-pr2m-wx1b-hqbz", "summary": "HTTP Response Splitting in Puma\nIn Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.\n\nWhile not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).\n\nThis is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.\n\nThis has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84061", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84059", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84036", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84041", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84047", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.8403", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84024", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84001", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.83998", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.83983", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.83969", "published_at": "2026-04-01T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5247" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5247", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5247" }, { "reference_url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting" }, { "reference_url": "https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816187", "reference_id": "1816187", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816187" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766", "reference_id": "952766", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766" }, { "reference_url": "https://github.com/advisories/GHSA-84j7-475p-hp8v", "reference_id": "GHSA-84j7-475p-hp8v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-84j7-475p-hp8v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73127?format=api", "purl": "pkg:gem/puma@3.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-bk4b-h5hu-2qeq" }, { "vulnerability": "VCID-euqw-bed6-z7d6" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" }, { "vulnerability": "VCID-q37p-vzmm-aken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/73128?format=api", "purl": "pkg:gem/puma@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-bk4b-h5hu-2qeq" }, { "vulnerability": "VCID-euqw-bed6-z7d6" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" }, { "vulnerability": "VCID-q37p-vzmm-aken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3" } ], "aliases": [ "CVE-2020-5247", "GHSA-84j7-475p-hp8v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pr2m-wx1b-hqbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13338?format=api", "vulnerability_id": "VCID-pvph-c6vu-qkhn", "summary": "Puma's header normalization allows for client to clobber proxy set headers\n### Impact\n\nClients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. \n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45614.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45614.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45614", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.7295", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.7294", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.72898", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.72906", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.72923", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.72899", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.72847", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00739", "scoring_system": "epss", "scoring_elements": "0.72885", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0076", "scoring_system": "epss", "scoring_elements": "0.73289", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0076", "scoring_system": "epss", "scoring_elements": "0.73312", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45614" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45614", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45614" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043" }, { "reference_url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T13:54:35Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html" }, { "reference_url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T13:54:35Z/" } ], "url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379", "reference_id": "1082379", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313672", "reference_id": "2313672", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313672" }, { "reference_url": "https://github.com/advisories/GHSA-9hf4-67fc-4vf4", "reference_id": "GHSA-9hf4-67fc-4vf4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9hf4-67fc-4vf4" }, { "reference_url": "https://usn.ubuntu.com/7031-1/", "reference_id": "USN-7031-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7031-1/" }, { "reference_url": "https://usn.ubuntu.com/7031-2/", "reference_id": "USN-7031-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7031-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47660?format=api", "purl": "pkg:gem/puma@5.6.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/47662?format=api", "purl": "pkg:gem/puma@6.4.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.4.3" } ], "aliases": [ "CVE-2024-45614", "GHSA-9hf4-67fc-4vf4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvph-c6vu-qkhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47854?format=api", "vulnerability_id": "VCID-q37p-vzmm-aken", "summary": "Puma's Keepalive Connections Causing Denial Of Service\nThis vulnerability is related to [CVE-2019-16770](https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994).\n\n### Impact\n\nThe fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.\n\nA `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.\n\n### Patches\n\nThis problem has been fixed in `puma` 4.3.8 and 5.3.1.\n\n### Workarounds\n\nSetting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. [slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security))).\n\nThe fix is very small. [A git patch is available here](https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837) for those using [unsupported versions](https://github.com/puma/puma/security/policy#supported-versions) of Puma.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [Puma](https://github.com/puma/puma).\n* To report problems with this fix or to report another vulnerability, see [our security policy.](https://github.com/puma/puma/security/policy)\n\n### Acknowledgements\n\nThank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue. \n\nThank you to @ioquatix for providing a modified fork of `wrk` which made debugging this issue much easier.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29509", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.8017", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.8014", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80148", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80164", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80094", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80145", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80138", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80109", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80122", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80102", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29509" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5" }, { "reference_url": "https://github.com/puma/puma/security/policy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/policy" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509" }, { "reference_url": "https://rubygems.org/gems/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubygems.org/gems/puma" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964874", "reference_id": "1964874", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964874" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054", "reference_id": "989054", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054" }, { "reference_url": "https://github.com/advisories/GHSA-q28m-8xjw-8vr5", "reference_id": "GHSA-q28m-8xjw-8vr5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q28m-8xjw-8vr5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4702", "reference_id": "RHSA-2021:4702", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4702" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77274?format=api", "purl": "pkg:gem/puma@4.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/135211?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/77275?format=api", "purl": "pkg:gem/puma@5.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.3.1" } ], "aliases": [ "CVE-2021-29509", "GHSA-q28m-8xjw-8vr5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q37p-vzmm-aken" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50577?format=api", "vulnerability_id": "VCID-tsrb-zgtb-8ybu", "summary": "## Keepalive thread overload/DoS\n\n### Impact\n\nA poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.\n\nIf more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.\n\n### Patches\n\nThis vulnerability is patched in Puma 4.3.1 and 3.12.2.\n\n### Workarounds\n\nReverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [puma](github.com/puma/puma).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81654", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81624", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81636", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81564", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81616", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81611", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81583", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81585", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81552", "published_at": "2026-04-01T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16770" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-7xx3-m584-x994", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7xx3-m584-x994" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16770", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16770" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831297", "reference_id": "1831297", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831297" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312", "reference_id": "946312", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78856?format=api", "purl": "pkg:gem/puma@3.12.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-ap87-c4dc-zfcy" }, { "vulnerability": "VCID-bk4b-h5hu-2qeq" }, { "vulnerability": "VCID-euqw-bed6-z7d6" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pr2m-wx1b-hqbz" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" }, { "vulnerability": "VCID-q37p-vzmm-aken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/78857?format=api", "purl": "pkg:gem/puma@4.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5zm7-c7nu-quad" }, { "vulnerability": "VCID-ap87-c4dc-zfcy" }, { "vulnerability": "VCID-bk4b-h5hu-2qeq" }, { "vulnerability": "VCID-euqw-bed6-z7d6" }, { "vulnerability": "VCID-fhu7-fyha-9khj" }, { "vulnerability": "VCID-gkf9-7a9x-nkh4" }, { "vulnerability": "VCID-jwun-grgg-2uet" }, { "vulnerability": "VCID-nxhw-rdtz-zyar" }, { "vulnerability": "VCID-pr2m-wx1b-hqbz" }, { "vulnerability": "VCID-pvph-c6vu-qkhn" }, { "vulnerability": "VCID-q37p-vzmm-aken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.1" } ], "aliases": [ "CVE-2019-16770", "GHSA-7xx3-m584-x994" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tsrb-zgtb-8ybu" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@1.6.1" }