Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/76333?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/76333?format=api", "purl": "pkg:gem/puma@3.0.0", "type": "gem", "namespace": "", "name": "puma", "version": "3.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.6.9", "latest_non_vulnerable_version": "6.4.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51636?format=api", "vulnerability_id": "VCID-2xj4-cnr2-wffv", "summary": "Keepalive thread overload/DoS in puma\nA poorly-behaved client could use keepalive requests to monopolize\nPuma's reactor and create a denial of service attack.\n\nIf more keepalive connections to Puma are opened than there are\nthreads available, additional connections will wait permanently if\nthe attacker sends requests frequently enough.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81957", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81992", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01587", "scoring_system": "epss", "scoring_elements": "0.81991", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16770" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-7xx3-m584-x994", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7xx3-m584-x994" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831297", "reference_id": "1831297", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831297" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312", "reference_id": "946312", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16770", "reference_id": "CVE-2019-16770", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16770" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76335?format=api", "purl": "pkg:gem/puma@3.12.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-8yqn-1dq4-ffh1" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-vsxc-v81n-wfcp" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76336?format=api", "purl": "pkg:gem/puma@4.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-8yqn-1dq4-ffh1" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-vsxc-v81n-wfcp" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.1" } ], "aliases": [ "CVE-2019-16770", "GHSA-7xx3-m584-x994" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xj4-cnr2-wffv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3267?format=api", "vulnerability_id": "VCID-4td1-xb1a-s3fp", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.65465", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.65402", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.65454", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23634" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5146", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5146" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391", "reference_id": "1005391", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054211", "reference_id": "2054211", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054211" }, { "reference_url": "https://security.archlinux.org/AVG-2764", "reference_id": "AVG-2764", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2764" }, { "reference_url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9", "reference_id": "GHSA-wh98-p28r-vrc9", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5498", "reference_id": "RHSA-2022:5498", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5498" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/147742?format=api", "purl": "pkg:gem/puma@4.3.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/147737?format=api", "purl": "pkg:gem/puma@5.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.2" } ], "aliases": [ "CVE-2022-23634", "GHSA-rmj8-8hhh-gv5h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4td1-xb1a-s3fp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51642?format=api", "vulnerability_id": "VCID-8yqn-1dq4-ffh1", "summary": "HTTP Response Splitting (Early Hints) in Puma\n### Impact\nIf an application using Puma allows untrusted input in an early-hints header,\nan attacker can use a carriage return character to end the header and inject\nmalicious content, such as additional headers or an entirely new response body.\nThis vulnerability is known as [HTTP Response\nSplitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n\nWhile not an attack in itself, response splitting is a vector for several other\nattacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),\nwhich fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5249", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.66268", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.66259", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00498", "scoring_system": "epss", "scoring_elements": "0.66208", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5249" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/" }, { "reference_url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816181", "reference_id": "1816181", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816181" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122", "reference_id": "953122", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5249", "reference_id": "CVE-2020-5249", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5249" }, { "reference_url": "https://github.com/advisories/GHSA-33vf-4xgg-9r58", "reference_id": "GHSA-33vf-4xgg-9r58", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-33vf-4xgg-9r58" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76786?format=api", "purl": "pkg:gem/puma@3.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/76787?format=api", "purl": "pkg:gem/puma@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3" } ], "aliases": [ "CVE-2020-5249", "GHSA-33vf-4xgg-9r58" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8yqn-1dq4-ffh1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51638?format=api", "vulnerability_id": "VCID-a89c-mhxf-gbcr", "summary": "HTTP Smuggling via Transfer-Encoding Header in Puma\n### Impact\n\nThis is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.\n\nA client could smuggle a request through a proxy, causing the proxy to send a response\nback to another unknown client.\n\nIf the proxy uses persistent connections and the client adds another request in via HTTP\npipelining, the proxy may mistake it as the first request's body. Puma, however,\nwould see it as two requests, and when processing the second request, send back\na response that the proxy does not expect. If the proxy has reused the persistent\nconnection to Puma to send another request for a different client, the second response\nfrom the first client will be sent to the second client.\n\n### Patches\n\nThe problem has been fixed in Puma 3.12.6 and Puma 4.3.5.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11077.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11077.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11077", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00821", "scoring_system": "epss", "scoring_elements": "0.74789", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00821", "scoring_system": "epss", "scoring_elements": "0.74753", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00821", "scoring_system": "epss", "scoring_elements": "0.74783", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11077" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11077", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11077" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11077.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11077.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842534", "reference_id": "1842534", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842534" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102", "reference_id": "972102", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11077", "reference_id": "CVE-2020-11077", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11077" }, { "reference_url": "https://github.com/advisories/GHSA-w64w-qqph-5gxm", "reference_id": "GHSA-w64w-qqph-5gxm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w64w-qqph-5gxm" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77379?format=api", "purl": "pkg:gem/puma@3.12.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/77380?format=api", "purl": "pkg:gem/puma@4.3.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.5" } ], "aliases": [ "CVE-2020-11077", "GHSA-w64w-qqph-5gxm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a89c-mhxf-gbcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51637?format=api", "vulnerability_id": "VCID-afk2-2mrt-h3ds", "summary": "HTTP Smuggling via Transfer-Encoding Header in Puma\n### Impact\n\nBy using an invalid transfer-encoding header, an attacker could\n[smuggle an HTTP response.](https://portswigger.net/web-security/request-smuggling)\n\n### Patches\n\nThe problem has been fixed in Puma 3.12.5 and Puma 4.3.4.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11076.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11076.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11076", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01782", "scoring_system": "epss", "scoring_elements": "0.83092", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01782", "scoring_system": "epss", "scoring_elements": "0.83065", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01782", "scoring_system": "epss", "scoring_elements": "0.83091", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11076" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11076", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11076" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22" }, { "reference_url": "https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842539", "reference_id": "1842539", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842539" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102", "reference_id": "972102", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11076", "reference_id": "CVE-2020-11076", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11076" }, { "reference_url": "https://github.com/advisories/GHSA-x7jg-6pwg-fx5h", "reference_id": "GHSA-x7jg-6pwg-fx5h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x7jg-6pwg-fx5h" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/140519?format=api", "purl": "pkg:gem/puma@3.12.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/77379?format=api", "purl": "pkg:gem/puma@3.12.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/140521?format=api", "purl": "pkg:gem/puma@4.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/77380?format=api", "purl": "pkg:gem/puma@4.3.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.5" } ], "aliases": [ "CVE-2020-11076", "GHSA-x7jg-6pwg-fx5h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-afk2-2mrt-h3ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51641?format=api", "vulnerability_id": "VCID-jqd6-2kq1-y7fu", "summary": "Puma's header normalization allows for client to clobber proxy set headers\n### Impact\n\nClients could clobber values set by intermediate proxies (such as\nX-Forwarded-For) by providing a underscore version of the same\nheader (X-Forwarded_For).\n\nAny users trusting headers set by their proxy may be affected.\nAttackers may be able to downgrade connections to HTTP (non-SSL)\nor redirect responses, which could cause confidentiality leaks\nif combined with a separate MITM attack.\n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the\nnon-underscore version also exists. Effectively, allowing the\nproxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers)\nconfiguration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers\nfor security or availability should immediately cease doing so\nuntil upgraded to the fixed versions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45614.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45614.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45614", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.7449", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00803", "scoring_system": "epss", "scoring_elements": "0.74484", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45614" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45614", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45614" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043" }, { "reference_url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T13:54:35Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html" }, { "reference_url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T13:54:35Z/" } ], "url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379", "reference_id": "1082379", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313672", "reference_id": "2313672", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313672" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614", "reference_id": "CVE-2024-45614", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml", "reference_id": "CVE-2024-45614.YML", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml" }, { "reference_url": "https://github.com/advisories/GHSA-9hf4-67fc-4vf4", "reference_id": "GHSA-9hf4-67fc-4vf4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9hf4-67fc-4vf4" }, { "reference_url": "https://usn.ubuntu.com/7031-1/", "reference_id": "USN-7031-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7031-1/" }, { "reference_url": "https://usn.ubuntu.com/7031-2/", "reference_id": "USN-7031-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7031-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82770?format=api", "purl": "pkg:gem/puma@5.6.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/82771?format=api", "purl": "pkg:gem/puma@6.4.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.4.3" } ], "aliases": [ "CVE-2024-45614", "GHSA-9hf4-67fc-4vf4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jqd6-2kq1-y7fu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51639?format=api", "vulnerability_id": "VCID-nmrt-u3yt-c3bs", "summary": "Keepalive Connections Causing Denial Of Service in puma\n### Impact\n\nThe fix for CVE-2019-16770 was incomplete. The original fix only protected\nexisting connections that had already been accepted from having their\nrequests starved by greedy persistent-connections saturating all threads in\nthe same process. However, new connections may still be starved by greedy\npersistent-connections saturating all threads in all processes in the\ncluster.\n\nA puma server which received more concurrent keep-alive connections than the\nserver had threads in its threadpool would service only a subset of\nconnections, denying service to the unserved connections.\n\n### Patches\n\nThis problem has been fixed in puma 4.3.8 and 5.3.1.\n\n### Workarounds\n\nSetting queue_requests false also fixes the issue. This is not advised when\nusing puma without a reverse proxy, such as nginx or apache, because you will\nopen yourself to slow client attacks (e.g. [slowloris][1]).\n\nThe fix is very small. [A git patch is available here][2] for those using\n[unsupported versions][3] of Puma.\n\n[1]: https://en.wikipedia.org/wiki/Slowloris_(computer_security)\n[2]: https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837\n[3]: https://github.com/puma/puma/security/policy#supported-versions", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29509", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.8048", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80509", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01358", "scoring_system": "epss", "scoring_elements": "0.80507", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29509" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5" }, { "reference_url": "https://github.com/puma/puma/security/policy", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/policy" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://rubygems.org/gems/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubygems.org/gems/puma" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964874", "reference_id": "1964874", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964874" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054", "reference_id": "989054", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509", "reference_id": "CVE-2021-29509", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4702", "reference_id": "RHSA-2021:4702", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4702" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80713?format=api", "purl": "pkg:gem/puma@4.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/162931?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/80714?format=api", "purl": "pkg:gem/puma@5.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.3.1" } ], "aliases": [ "CVE-2021-29509", "GHSA-q28m-8xjw-8vr5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nmrt-u3yt-c3bs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45874?format=api", "vulnerability_id": "VCID-prw8-q89n-fkcp", "summary": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')\nPuma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40175.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40175.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40175", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.5966", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59657", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40175" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40175", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40175" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-07T20:03:28Z/" } ], "url": "https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a" }, { "reference_url": "https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662" }, { "reference_url": "https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v5.6.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v5.6.7" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v6.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v6.3.1" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079", "reference_id": "1050079", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232729", "reference_id": "2232729", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232729" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40175", "reference_id": "CVE-2023-40175", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40175" }, { "reference_url": "https://github.com/advisories/GHSA-68xg-gqqm-vgj8", "reference_id": "GHSA-68xg-gqqm-vgj8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-68xg-gqqm-vgj8" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8", "reference_id": "GHSA-68xg-gqqm-vgj8", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-07T20:03:28Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0797", "reference_id": "RHSA-2024:0797", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0797" }, { "reference_url": "https://usn.ubuntu.com/6399-1/", "reference_id": "USN-6399-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6399-1/" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66594?format=api", "purl": "pkg:gem/puma@5.6.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/66595?format=api", "purl": "pkg:gem/puma@6.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.3.1" } ], "aliases": [ "CVE-2023-40175", "GHSA-68xg-gqqm-vgj8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-prw8-q89n-fkcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46792?format=api", "vulnerability_id": "VCID-qpmp-qmsu-vufy", "summary": "Puma HTTP Request/Response Smuggling vulnerability\nPrior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.\n\nFixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21647.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21647.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21647", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85546", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0246", "scoring_system": "epss", "scoring_elements": "0.85541", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21647" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21647", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21647" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:45Z/" } ], "url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93" }, { "reference_url": "https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7" }, { "reference_url": "https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345", "reference_id": "1060345", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257340", "reference_id": "2257340", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257340" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21647", "reference_id": "CVE-2024-21647", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21647" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml", "reference_id": "CVE-2024-21647.YML", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml" }, { "reference_url": "https://github.com/advisories/GHSA-c2f4-cvqm-65w2", "reference_id": "GHSA-c2f4-cvqm-65w2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c2f4-cvqm-65w2" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2", "reference_id": "GHSA-c2f4-cvqm-65w2", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:45Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2" }, { "reference_url": "https://usn.ubuntu.com/6597-1/", "reference_id": "USN-6597-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6597-1/" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68425?format=api", "purl": "pkg:gem/puma@5.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/68424?format=api", "purl": "pkg:gem/puma@6.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.4.2" } ], "aliases": [ "CVE-2024-21647", "GHSA-c2f4-cvqm-65w2" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qpmp-qmsu-vufy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3268?format=api", "vulnerability_id": "VCID-vhkc-87t9-tucj", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41136.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41136.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.5252", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52511", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00288", "scoring_system": "epss", "scoring_elements": "0.52452", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18" }, { "reference_url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f" }, { "reference_url": "https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v4.3.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v4.3.9" }, { "reference_url": "https://github.com/puma/puma/releases/tag/v5.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/releases/tag/v5.5.1" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5146", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5146" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013495", "reference_id": "2013495", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013495" }, { "reference_url": "https://security.archlinux.org/AVG-2764", "reference_id": "AVG-2764", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2764" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136", "reference_id": "CVE-2021-41136", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41136" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml", "reference_id": "CVE-2021-41136.YML", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml" }, { "reference_url": "https://github.com/advisories/GHSA-48w2-rm65-62xx", "reference_id": "GHSA-48w2-rm65-62xx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-48w2-rm65-62xx" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx", "reference_id": "GHSA-48w2-rm65-62xx", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5498", "reference_id": "RHSA-2022:5498", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5498" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59264?format=api", "purl": "pkg:gem/puma@4.3.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/162931?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/59263?format=api", "purl": "pkg:gem/puma@5.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.5.1" } ], "aliases": [ "CVE-2021-41136", "GHSA-48w2-rm65-62xx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vhkc-87t9-tucj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51640?format=api", "vulnerability_id": "VCID-vsxc-v81n-wfcp", "summary": "HTTP Response Splitting vulnerability in puma\nIf an application using Puma allows untrusted input in a response header,\nan attacker can use newline characters (i.e. CR, LF) to end the header and\ninject malicious content, such as additional headers or an entirely new\nresponse body. This vulnerability is known as HTTP Response Splitting.\n\nWhile not an attack in itself, response splitting is a vector for several\nother attacks, such as cross-site scripting (XSS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84376", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84373", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02094", "scoring_system": "epss", "scoring_elements": "0.84349", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5247" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/" }, { "reference_url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting" }, { "reference_url": "https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816187", "reference_id": "1816187", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816187" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766", "reference_id": "952766", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5247", "reference_id": "CVE-2020-5247", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5247" }, { "reference_url": "https://github.com/advisories/GHSA-84j7-475p-hp8v", "reference_id": "GHSA-84j7-475p-hp8v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-84j7-475p-hp8v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76786?format=api", "purl": "pkg:gem/puma@3.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/76787?format=api", "purl": "pkg:gem/puma@4.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4td1-xb1a-s3fp" }, { "vulnerability": "VCID-a89c-mhxf-gbcr" }, { "vulnerability": "VCID-afk2-2mrt-h3ds" }, { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-nmrt-u3yt-c3bs" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3" } ], "aliases": [ "CVE-2020-5247", "GHSA-84j7-475p-hp8v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vsxc-v81n-wfcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/3266?format=api", "vulnerability_id": "VCID-y1y1-3d8u-yud7", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24790.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24790.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62154", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62098", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62147", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24790" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/puma/puma", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/puma/puma" }, { "reference_url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/" }, { "reference_url": "https://portswigger.net/web-security/request-smuggling", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://portswigger.net/web-security/request-smuggling" }, { "reference_url": "https://security.gentoo.org/glsa/202208-28", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://security.gentoo.org/glsa/202208-28" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5146", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5146" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723", "reference_id": "1008723", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071616", "reference_id": "2071616", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071616" }, { "reference_url": "https://security.archlinux.org/AVG-2764", "reference_id": "AVG-2764", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2764" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24790", "reference_id": "CVE-2022-24790", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24790" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/", "reference_id": "F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/" }, { "reference_url": "https://github.com/advisories/GHSA-h99w-9q5r-gjq9", "reference_id": "GHSA-h99w-9q5r-gjq9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h99w-9q5r-gjq9" }, { "reference_url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9", "reference_id": "GHSA-h99w-9q5r-gjq9", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/", "reference_id": "L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8532", "reference_id": "RHSA-2022:8532", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8532" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1486", "reference_id": "RHSA-2023:1486", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1486" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/", "reference_id": "TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/" }, { "reference_url": "https://usn.ubuntu.com/6682-1/", "reference_id": "USN-6682-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6682-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61160?format=api", "purl": "pkg:gem/puma@4.3.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/162931?format=api", "purl": "pkg:gem/puma@5.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" }, { "vulnerability": "VCID-vhkc-87t9-tucj" }, { "vulnerability": "VCID-y1y1-3d8u-yud7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/61161?format=api", "purl": "pkg:gem/puma@5.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jqd6-2kq1-y7fu" }, { "vulnerability": "VCID-prw8-q89n-fkcp" }, { "vulnerability": "VCID-qpmp-qmsu-vufy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.4" } ], "aliases": [ "CVE-2022-24790", "GHSA-h99w-9q5r-gjq9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y1y1-3d8u-yud7" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.0.0" }