Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/puma@3.0.0
Typegem
Namespace
Namepuma
Version3.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.6.9
Latest_non_vulnerable_version6.4.3
Affected_by_vulnerabilities
0
url VCID-2xj4-cnr2-wffv
vulnerability_id VCID-2xj4-cnr2-wffv
summary 
Keepalive thread overload/DoS in puma
A poorly-behaved client could use keepalive requests to monopolize
Puma's reactor and create a denial of service attack.

If more keepalive connections to Puma are opened than there are
threads available, additional connections will wait permanently if
the attacker sends requests frequently enough.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16770.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16770.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16770
reference_id
reference_type
scores
0
value 0.01587
scoring_system epss
scoring_elements 0.81957
published_at 2026-06-04T12:55:00Z
1
value 0.01587
scoring_system epss
scoring_elements 0.81992
published_at 2026-06-07T12:55:00Z
2
value 0.01587
scoring_system epss
scoring_elements 0.81991
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16770
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/advisories/GHSA-7xx3-m584-x994
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-7xx3-m584-x994
5
reference_url https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml
7
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1831297
reference_id 1831297
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1831297
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312
reference_id 946312
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16770
reference_id CVE-2019-16770
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16770
fixed_packages
0
url pkg:gem/puma@3.12.2
purl pkg:gem/puma@3.12.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-8yqn-1dq4-ffh1
2
vulnerability VCID-a89c-mhxf-gbcr
3
vulnerability VCID-afk2-2mrt-h3ds
4
vulnerability VCID-jqd6-2kq1-y7fu
5
vulnerability VCID-nmrt-u3yt-c3bs
6
vulnerability VCID-prw8-q89n-fkcp
7
vulnerability VCID-qpmp-qmsu-vufy
8
vulnerability VCID-vhkc-87t9-tucj
9
vulnerability VCID-vsxc-v81n-wfcp
10
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.2
1
url pkg:gem/puma@4.3.1
purl pkg:gem/puma@4.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-8yqn-1dq4-ffh1
2
vulnerability VCID-a89c-mhxf-gbcr
3
vulnerability VCID-afk2-2mrt-h3ds
4
vulnerability VCID-jqd6-2kq1-y7fu
5
vulnerability VCID-nmrt-u3yt-c3bs
6
vulnerability VCID-prw8-q89n-fkcp
7
vulnerability VCID-qpmp-qmsu-vufy
8
vulnerability VCID-vhkc-87t9-tucj
9
vulnerability VCID-vsxc-v81n-wfcp
10
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.1
aliases CVE-2019-16770, GHSA-7xx3-m584-x994
risk_score 4.0
exploitability 0.5
weighted_severity 7.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xj4-cnr2-wffv
1
url VCID-4td1-xb1a-s3fp
vulnerability_id VCID-4td1-xb1a-s3fp
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23634
reference_id
reference_type
scores
0
value 0.00479
scoring_system epss
scoring_elements 0.65465
published_at 2026-06-06T12:55:00Z
1
value 0.00479
scoring_system epss
scoring_elements 0.65402
published_at 2026-06-04T12:55:00Z
2
value 0.00479
scoring_system epss
scoring_elements 0.65454
published_at 2026-06-05T12:55:00Z
3
value 0.00479
scoring_system epss
scoring_elements 0.65453
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23634
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
7
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
8
reference_url https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
9
reference_url https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements
1
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
11
reference_url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
12
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
13
reference_url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
19
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23634
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23634
21
reference_url https://security.gentoo.org/glsa/202208-28
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-28
22
reference_url https://www.debian.org/security/2022/dsa-5146
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2022/dsa-5146
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
reference_id 1005391
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
24
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2054211
reference_id 2054211
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2054211
25
reference_url https://security.archlinux.org/AVG-2764
reference_id AVG-2764
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2764
26
reference_url https://github.com/advisories/GHSA-wh98-p28r-vrc9
reference_id GHSA-wh98-p28r-vrc9
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-wh98-p28r-vrc9
27
reference_url https://access.redhat.com/errata/RHSA-2022:5498
reference_id RHSA-2022:5498
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5498
28
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/puma@4.3.11
purl pkg:gem/puma@4.3.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
3
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.11
1
url pkg:gem/puma@5.6.2
purl pkg:gem/puma@5.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
3
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.2
aliases CVE-2022-23634, GHSA-rmj8-8hhh-gv5h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4td1-xb1a-s3fp
2
url VCID-8yqn-1dq4-ffh1
vulnerability_id VCID-8yqn-1dq4-ffh1
summary 
HTTP Response Splitting (Early Hints) in Puma
### Impact
If an application using Puma allows untrusted input in an early-hints header,
an attacker can use a carriage return character to end the header and inject
malicious content, such as additional headers or an entirely new response body.
This vulnerability is known as [HTTP Response
Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)

While not an attack in itself, response splitting is a vector for several other
attacks, such as cross-site scripting (XSS).

This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),
which fixed this vulnerability but only for regular responses.

### Patches
This has been fixed in 4.3.3 and 3.12.4.

### Workarounds
Users can not allow untrusted/user input in the Early Hints response header.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5249
reference_id
reference_type
scores
0
value 0.00498
scoring_system epss
scoring_elements 0.66252
published_at 2026-06-07T12:55:00Z
1
value 0.00498
scoring_system epss
scoring_elements 0.66268
published_at 2026-06-06T12:55:00Z
2
value 0.00498
scoring_system epss
scoring_elements 0.66208
published_at 2026-06-04T12:55:00Z
3
value 0.00498
scoring_system epss
scoring_elements 0.66259
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5249
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
3
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
4
reference_url https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
5
reference_url https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
6
reference_url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
14
reference_url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1816181
reference_id 1816181
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1816181
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122
reference_id 953122
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5249
reference_id CVE-2020-5249
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5249
18
reference_url https://github.com/advisories/GHSA-33vf-4xgg-9r58
reference_id GHSA-33vf-4xgg-9r58
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-33vf-4xgg-9r58
fixed_packages
0
url pkg:gem/puma@3.12.4
purl pkg:gem/puma@3.12.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-a89c-mhxf-gbcr
2
vulnerability VCID-afk2-2mrt-h3ds
3
vulnerability VCID-jqd6-2kq1-y7fu
4
vulnerability VCID-nmrt-u3yt-c3bs
5
vulnerability VCID-prw8-q89n-fkcp
6
vulnerability VCID-qpmp-qmsu-vufy
7
vulnerability VCID-vhkc-87t9-tucj
8
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.4
1
url pkg:gem/puma@4.3.3
purl pkg:gem/puma@4.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-a89c-mhxf-gbcr
2
vulnerability VCID-afk2-2mrt-h3ds
3
vulnerability VCID-jqd6-2kq1-y7fu
4
vulnerability VCID-nmrt-u3yt-c3bs
5
vulnerability VCID-prw8-q89n-fkcp
6
vulnerability VCID-qpmp-qmsu-vufy
7
vulnerability VCID-vhkc-87t9-tucj
8
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3
aliases CVE-2020-5249, GHSA-33vf-4xgg-9r58
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8yqn-1dq4-ffh1
3
url VCID-a89c-mhxf-gbcr
vulnerability_id VCID-a89c-mhxf-gbcr
summary 
HTTP Smuggling via Transfer-Encoding Header in Puma
### Impact

This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.

A client could smuggle a request through a proxy, causing the proxy to send a response
back to another unknown client.

If the proxy uses persistent connections and the client adds another request in via HTTP
pipelining, the proxy may mistake it as the first request's body. Puma, however,
would see it as two requests, and when processing the second request, send back
a response that the proxy does not expect. If the proxy has reused the persistent
connection to Puma to send another request for a different client, the second response
from the first client will be sent to the second client.

### Patches

The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11077.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11077.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-11077
reference_id
reference_type
scores
0
value 0.00821
scoring_system epss
scoring_elements 0.74783
published_at 2026-06-05T12:55:00Z
1
value 0.00821
scoring_system epss
scoring_elements 0.7478
published_at 2026-06-07T12:55:00Z
2
value 0.00821
scoring_system epss
scoring_elements 0.74753
published_at 2026-06-04T12:55:00Z
3
value 0.00821
scoring_system epss
scoring_elements 0.74789
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-11077
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11077
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11077
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
7
reference_url https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
8
reference_url https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements
1
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11077.yml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11077.yml
10
reference_url https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1842534
reference_id 1842534
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1842534
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102
reference_id 972102
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-11077
reference_id CVE-2020-11077
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-11077
16
reference_url https://github.com/advisories/GHSA-w64w-qqph-5gxm
reference_id GHSA-w64w-qqph-5gxm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w64w-qqph-5gxm
17
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/puma@3.12.6
purl pkg:gem/puma@3.12.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-nmrt-u3yt-c3bs
3
vulnerability VCID-prw8-q89n-fkcp
4
vulnerability VCID-qpmp-qmsu-vufy
5
vulnerability VCID-vhkc-87t9-tucj
6
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.6
1
url pkg:gem/puma@4.3.5
purl pkg:gem/puma@4.3.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-nmrt-u3yt-c3bs
3
vulnerability VCID-prw8-q89n-fkcp
4
vulnerability VCID-qpmp-qmsu-vufy
5
vulnerability VCID-vhkc-87t9-tucj
6
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.5
aliases CVE-2020-11077, GHSA-w64w-qqph-5gxm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a89c-mhxf-gbcr
4
url VCID-afk2-2mrt-h3ds
vulnerability_id VCID-afk2-2mrt-h3ds
summary 
HTTP Smuggling via Transfer-Encoding Header in Puma
### Impact

By using an invalid transfer-encoding header, an attacker could
[smuggle an HTTP response.](https://portswigger.net/web-security/request-smuggling)

### Patches

The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11076.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11076.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-11076
reference_id
reference_type
scores
0
value 0.01782
scoring_system epss
scoring_elements 0.83091
published_at 2026-06-06T12:55:00Z
1
value 0.01782
scoring_system epss
scoring_elements 0.83092
published_at 2026-06-05T12:55:00Z
2
value 0.01782
scoring_system epss
scoring_elements 0.83065
published_at 2026-06-04T12:55:00Z
3
value 0.01782
scoring_system epss
scoring_elements 0.83088
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-11076
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11076
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11076
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
7
reference_url https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
8
reference_url https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
9
reference_url https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.yml
11
reference_url https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1842539
reference_id 1842539
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1842539
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102
reference_id 972102
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-11076
reference_id CVE-2020-11076
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-11076
17
reference_url https://github.com/advisories/GHSA-x7jg-6pwg-fx5h
reference_id GHSA-x7jg-6pwg-fx5h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x7jg-6pwg-fx5h
18
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/puma@3.12.5
purl pkg:gem/puma@3.12.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-a89c-mhxf-gbcr
2
vulnerability VCID-afk2-2mrt-h3ds
3
vulnerability VCID-jqd6-2kq1-y7fu
4
vulnerability VCID-nmrt-u3yt-c3bs
5
vulnerability VCID-prw8-q89n-fkcp
6
vulnerability VCID-qpmp-qmsu-vufy
7
vulnerability VCID-vhkc-87t9-tucj
8
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.5
1
url pkg:gem/puma@3.12.6
purl pkg:gem/puma@3.12.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-nmrt-u3yt-c3bs
3
vulnerability VCID-prw8-q89n-fkcp
4
vulnerability VCID-qpmp-qmsu-vufy
5
vulnerability VCID-vhkc-87t9-tucj
6
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.6
2
url pkg:gem/puma@4.3.4
purl pkg:gem/puma@4.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-a89c-mhxf-gbcr
2
vulnerability VCID-afk2-2mrt-h3ds
3
vulnerability VCID-jqd6-2kq1-y7fu
4
vulnerability VCID-nmrt-u3yt-c3bs
5
vulnerability VCID-prw8-q89n-fkcp
6
vulnerability VCID-qpmp-qmsu-vufy
7
vulnerability VCID-vhkc-87t9-tucj
8
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.4
3
url pkg:gem/puma@4.3.5
purl pkg:gem/puma@4.3.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-nmrt-u3yt-c3bs
3
vulnerability VCID-prw8-q89n-fkcp
4
vulnerability VCID-qpmp-qmsu-vufy
5
vulnerability VCID-vhkc-87t9-tucj
6
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.5
aliases CVE-2020-11076, GHSA-x7jg-6pwg-fx5h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-afk2-2mrt-h3ds
5
url VCID-jqd6-2kq1-y7fu
vulnerability_id VCID-jqd6-2kq1-y7fu
summary 
Puma's header normalization allows for client to clobber proxy set headers
### Impact

Clients could clobber values set by intermediate proxies (such as
X-Forwarded-For) by providing a underscore version of the same
header (X-Forwarded_For).

Any users trusting headers set by their proxy may be affected.
Attackers may be able to downgrade connections to HTTP (non-SSL)
or redirect responses, which could cause confidentiality leaks
if combined with a separate MITM attack.

### Patches
v6.4.3/v5.6.9 now discards any headers using underscores if the
non-underscore version also exists.  Effectively, allowing the
proxy defined headers to always win.

### Workarounds
Nginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers)
configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers
for security or availability should immediately cease doing so
until upgraded to the fixed versions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45614.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45614.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45614
reference_id
reference_type
scores
0
value 0.00803
scoring_system epss
scoring_elements 0.74478
published_at 2026-06-07T12:55:00Z
1
value 0.00803
scoring_system epss
scoring_elements 0.7449
published_at 2026-06-06T12:55:00Z
2
value 0.00803
scoring_system epss
scoring_elements 0.74484
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45614
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45614
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45614
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
5
reference_url https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
6
reference_url https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
7
reference_url https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T13:54:35Z/
url https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
8
reference_url https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
9
reference_url https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T13:54:35Z/
url https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379
reference_id 1082379
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082379
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2313672
reference_id 2313672
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2313672
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45614
reference_id CVE-2024-45614
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45614
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml
reference_id CVE-2024-45614.YML
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml
14
reference_url https://github.com/advisories/GHSA-9hf4-67fc-4vf4
reference_id GHSA-9hf4-67fc-4vf4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9hf4-67fc-4vf4
15
reference_url https://usn.ubuntu.com/7031-1/
reference_id USN-7031-1
reference_type
scores
url https://usn.ubuntu.com/7031-1/
16
reference_url https://usn.ubuntu.com/7031-2/
reference_id USN-7031-2
reference_type
scores
url https://usn.ubuntu.com/7031-2/
fixed_packages
0
url pkg:gem/puma@5.6.9
purl pkg:gem/puma@5.6.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.9
1
url pkg:gem/puma@6.4.3
purl pkg:gem/puma@6.4.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.4.3
aliases CVE-2024-45614, GHSA-9hf4-67fc-4vf4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jqd6-2kq1-y7fu
6
url VCID-nmrt-u3yt-c3bs
vulnerability_id VCID-nmrt-u3yt-c3bs
summary 
Keepalive Connections Causing Denial Of Service in puma
### Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected
existing connections that had already been accepted from having their
requests starved by greedy persistent-connections saturating all threads in
the same process. However, new connections may still be starved by greedy
persistent-connections saturating all threads in all processes in the
cluster.

A puma server which received more concurrent keep-alive connections than the
server had threads in its threadpool would service only a subset of
connections, denying service to the unserved connections.

### Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

### Workarounds

Setting queue_requests false also fixes the issue. This is not advised when
using puma without a reverse proxy, such as nginx or apache, because you will
open yourself to slow client attacks (e.g. [slowloris][1]).

The fix is very small. [A git patch is available here][2] for those using
[unsupported versions][3] of Puma.

[1]: https://en.wikipedia.org/wiki/Slowloris_(computer_security)
[2]: https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
[3]: https://github.com/puma/puma/security/policy#supported-versions
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29509.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29509
reference_id
reference_type
scores
0
value 0.01358
scoring_system epss
scoring_elements 0.8048
published_at 2026-06-04T12:55:00Z
1
value 0.01358
scoring_system epss
scoring_elements 0.80505
published_at 2026-06-07T12:55:00Z
2
value 0.01358
scoring_system epss
scoring_elements 0.80509
published_at 2026-06-06T12:55:00Z
3
value 0.01358
scoring_system epss
scoring_elements 0.80507
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29509
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
5
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
6
reference_url https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
7
reference_url https://github.com/puma/puma/security/policy
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/policy
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml
9
reference_url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
10
reference_url https://rubygems.org/gems/puma
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/puma
11
reference_url https://security.gentoo.org/glsa/202208-28
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-28
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1964874
reference_id 1964874
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1964874
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054
reference_id 989054
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989054
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29509
reference_id CVE-2021-29509
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29509
15
reference_url https://github.com/advisories/GHSA-q28m-8xjw-8vr5
reference_id GHSA-q28m-8xjw-8vr5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q28m-8xjw-8vr5
16
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:gem/puma@4.3.8
purl pkg:gem/puma@4.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-prw8-q89n-fkcp
3
vulnerability VCID-qpmp-qmsu-vufy
4
vulnerability VCID-vhkc-87t9-tucj
5
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.8
1
url pkg:gem/puma@5.0.0.beta1
purl pkg:gem/puma@5.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
3
vulnerability VCID-vhkc-87t9-tucj
4
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1
2
url pkg:gem/puma@5.3.1
purl pkg:gem/puma@5.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-prw8-q89n-fkcp
3
vulnerability VCID-qpmp-qmsu-vufy
4
vulnerability VCID-vhkc-87t9-tucj
5
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.3.1
aliases CVE-2021-29509, GHSA-q28m-8xjw-8vr5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nmrt-u3yt-c3bs
7
url VCID-prw8-q89n-fkcp
vulnerability_id VCID-prw8-q89n-fkcp
summary 
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40175.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40175.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40175
reference_id
reference_type
scores
0
value 0.00377
scoring_system epss
scoring_elements 0.59652
published_at 2026-06-07T12:55:00Z
1
value 0.00377
scoring_system epss
scoring_elements 0.5966
published_at 2026-06-06T12:55:00Z
2
value 0.00377
scoring_system epss
scoring_elements 0.59657
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40175
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40175
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40175
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
5
reference_url https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-07T20:03:28Z/
url https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a
6
reference_url https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662
7
reference_url https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1
8
reference_url https://github.com/puma/puma/releases/tag/v5.6.7
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/releases/tag/v5.6.7
9
reference_url https://github.com/puma/puma/releases/tag/v6.3.1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/releases/tag/v6.3.1
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079
reference_id 1050079
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2232729
reference_id 2232729
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2232729
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40175
reference_id CVE-2023-40175
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40175
14
reference_url https://github.com/advisories/GHSA-68xg-gqqm-vgj8
reference_id GHSA-68xg-gqqm-vgj8
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-68xg-gqqm-vgj8
15
reference_url https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
reference_id GHSA-68xg-gqqm-vgj8
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
4
value CRITICAL
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-07T20:03:28Z/
url https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
16
reference_url https://access.redhat.com/errata/RHSA-2024:0797
reference_id RHSA-2024:0797
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0797
17
reference_url https://usn.ubuntu.com/6399-1/
reference_id USN-6399-1
reference_type
scores
url https://usn.ubuntu.com/6399-1/
18
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/puma@5.6.7
purl pkg:gem/puma@5.6.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-qpmp-qmsu-vufy
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.7
1
url pkg:gem/puma@6.3.1
purl pkg:gem/puma@6.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-qpmp-qmsu-vufy
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.3.1
aliases CVE-2023-40175, GHSA-68xg-gqqm-vgj8
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-prw8-q89n-fkcp
8
url VCID-qpmp-qmsu-vufy
vulnerability_id VCID-qpmp-qmsu-vufy
summary 
Puma HTTP Request/Response Smuggling vulnerability
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21647.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21647.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-21647
reference_id
reference_type
scores
0
value 0.0246
scoring_system epss
scoring_elements 0.85546
published_at 2026-06-06T12:55:00Z
1
value 0.0246
scoring_system epss
scoring_elements 0.85541
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-21647
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21647
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21647
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
5
reference_url https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:45Z/
url https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
6
reference_url https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
7
reference_url https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
8
reference_url https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345
reference_id 1060345
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060345
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2257340
reference_id 2257340
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2257340
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-21647
reference_id CVE-2024-21647
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-21647
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
reference_id CVE-2024-21647.YML
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
13
reference_url https://github.com/advisories/GHSA-c2f4-cvqm-65w2
reference_id GHSA-c2f4-cvqm-65w2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c2f4-cvqm-65w2
14
reference_url https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
reference_id GHSA-c2f4-cvqm-65w2
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements
1
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:56:45Z/
url https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
15
reference_url https://usn.ubuntu.com/6597-1/
reference_id USN-6597-1
reference_type
scores
url https://usn.ubuntu.com/6597-1/
16
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/puma@5.6.8
purl pkg:gem/puma@5.6.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.8
1
url pkg:gem/puma@6.4.2
purl pkg:gem/puma@6.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@6.4.2
aliases CVE-2024-21647, GHSA-c2f4-cvqm-65w2
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qpmp-qmsu-vufy
9
url VCID-vhkc-87t9-tucj
vulnerability_id VCID-vhkc-87t9-tucj
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41136.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41136.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-41136
reference_id
reference_type
scores
0
value 0.00288
scoring_system epss
scoring_elements 0.525
published_at 2026-06-07T12:55:00Z
1
value 0.00288
scoring_system epss
scoring_elements 0.52452
published_at 2026-06-04T12:55:00Z
2
value 0.00288
scoring_system epss
scoring_elements 0.5252
published_at 2026-06-06T12:55:00Z
3
value 0.00288
scoring_system epss
scoring_elements 0.52511
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-41136
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
7
reference_url https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18
8
reference_url https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
9
reference_url https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139
10
reference_url https://github.com/puma/puma/releases/tag/v4.3.9
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/releases/tag/v4.3.9
11
reference_url https://github.com/puma/puma/releases/tag/v5.5.1
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/releases/tag/v5.5.1
12
reference_url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
13
reference_url https://security.gentoo.org/glsa/202208-28
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-28
14
reference_url https://www.debian.org/security/2022/dsa-5146
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2022/dsa-5146
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2013495
reference_id 2013495
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2013495
16
reference_url https://security.archlinux.org/AVG-2764
reference_id AVG-2764
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2764
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-41136
reference_id CVE-2021-41136
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-41136
18
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml
reference_id CVE-2021-41136.YML
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml
19
reference_url https://github.com/advisories/GHSA-48w2-rm65-62xx
reference_id GHSA-48w2-rm65-62xx
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-48w2-rm65-62xx
20
reference_url https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
reference_id GHSA-48w2-rm65-62xx
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements
1
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
21
reference_url https://access.redhat.com/errata/RHSA-2022:5498
reference_id RHSA-2022:5498
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5498
fixed_packages
0
url pkg:gem/puma@4.3.9
purl pkg:gem/puma@4.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-prw8-q89n-fkcp
3
vulnerability VCID-qpmp-qmsu-vufy
4
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.9
1
url pkg:gem/puma@5.0.0.beta1
purl pkg:gem/puma@5.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
3
vulnerability VCID-vhkc-87t9-tucj
4
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1
2
url pkg:gem/puma@5.5.1
purl pkg:gem/puma@5.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-jqd6-2kq1-y7fu
2
vulnerability VCID-prw8-q89n-fkcp
3
vulnerability VCID-qpmp-qmsu-vufy
4
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.5.1
aliases CVE-2021-41136, GHSA-48w2-rm65-62xx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vhkc-87t9-tucj
10
url VCID-vsxc-v81n-wfcp
vulnerability_id VCID-vsxc-v81n-wfcp
summary 
HTTP Response Splitting vulnerability in puma
If an application using Puma allows untrusted input in a response header,
an attacker can use newline characters (i.e. CR, LF) to end the header and
inject malicious content, such as additional headers or an entirely new
response body. This vulnerability is known as HTTP Response Splitting.

While not an attack in itself, response splitting is a vector for several
other attacks, such as cross-site scripting (XSS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5247
reference_id
reference_type
scores
0
value 0.02094
scoring_system epss
scoring_elements 0.8437
published_at 2026-06-07T12:55:00Z
1
value 0.02094
scoring_system epss
scoring_elements 0.84376
published_at 2026-06-06T12:55:00Z
2
value 0.02094
scoring_system epss
scoring_elements 0.84373
published_at 2026-06-05T12:55:00Z
3
value 0.02094
scoring_system epss
scoring_elements 0.84349
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5247
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
5
reference_url https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f
6
reference_url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
15
reference_url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
16
reference_url https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1816187
reference_id 1816187
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1816187
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
reference_id 952766
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5247
reference_id CVE-2020-5247
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5247
20
reference_url https://github.com/advisories/GHSA-84j7-475p-hp8v
reference_id GHSA-84j7-475p-hp8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-84j7-475p-hp8v
fixed_packages
0
url pkg:gem/puma@3.12.4
purl pkg:gem/puma@3.12.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-a89c-mhxf-gbcr
2
vulnerability VCID-afk2-2mrt-h3ds
3
vulnerability VCID-jqd6-2kq1-y7fu
4
vulnerability VCID-nmrt-u3yt-c3bs
5
vulnerability VCID-prw8-q89n-fkcp
6
vulnerability VCID-qpmp-qmsu-vufy
7
vulnerability VCID-vhkc-87t9-tucj
8
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@3.12.4
1
url pkg:gem/puma@4.3.3
purl pkg:gem/puma@4.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4td1-xb1a-s3fp
1
vulnerability VCID-a89c-mhxf-gbcr
2
vulnerability VCID-afk2-2mrt-h3ds
3
vulnerability VCID-jqd6-2kq1-y7fu
4
vulnerability VCID-nmrt-u3yt-c3bs
5
vulnerability VCID-prw8-q89n-fkcp
6
vulnerability VCID-qpmp-qmsu-vufy
7
vulnerability VCID-vhkc-87t9-tucj
8
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3
aliases CVE-2020-5247, GHSA-84j7-475p-hp8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vsxc-v81n-wfcp
11
url VCID-y1y1-3d8u-yud7
vulnerability_id VCID-y1y1-3d8u-yud7
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24790.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24790.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24790
reference_id
reference_type
scores
0
value 0.00417
scoring_system epss
scoring_elements 0.62143
published_at 2026-06-07T12:55:00Z
1
value 0.00417
scoring_system epss
scoring_elements 0.62098
published_at 2026-06-04T12:55:00Z
2
value 0.00417
scoring_system epss
scoring_elements 0.62147
published_at 2026-06-05T12:55:00Z
3
value 0.00417
scoring_system epss
scoring_elements 0.62154
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24790
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
7
reference_url https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml
9
reference_url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
16
reference_url https://portswigger.net/web-security/request-smuggling
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://portswigger.net/web-security/request-smuggling
17
reference_url https://security.gentoo.org/glsa/202208-28
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://security.gentoo.org/glsa/202208-28
18
reference_url https://www.debian.org/security/2022/dsa-5146
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://www.debian.org/security/2022/dsa-5146
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723
reference_id 1008723
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008723
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2071616
reference_id 2071616
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2071616
21
reference_url https://security.archlinux.org/AVG-2764
reference_id AVG-2764
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2764
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24790
reference_id CVE-2022-24790
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24790
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
reference_id F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
24
reference_url https://github.com/advisories/GHSA-h99w-9q5r-gjq9
reference_id GHSA-h99w-9q5r-gjq9
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h99w-9q5r-gjq9
25
reference_url https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
reference_id GHSA-h99w-9q5r-gjq9
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
26
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
reference_id L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
27
reference_url https://access.redhat.com/errata/RHSA-2022:8532
reference_id RHSA-2022:8532
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:8532
28
reference_url https://access.redhat.com/errata/RHSA-2023:1486
reference_id RHSA-2023:1486
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1486
29
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
reference_id TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:50:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
30
reference_url https://usn.ubuntu.com/6682-1/
reference_id USN-6682-1
reference_type
scores
url https://usn.ubuntu.com/6682-1/
fixed_packages
0
url pkg:gem/puma@4.3.12
purl pkg:gem/puma@4.3.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.12
1
url pkg:gem/puma@5.0.0.beta1
purl pkg:gem/puma@5.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
3
vulnerability VCID-vhkc-87t9-tucj
4
vulnerability VCID-y1y1-3d8u-yud7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.0.0.beta1
2
url pkg:gem/puma@5.6.4
purl pkg:gem/puma@5.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jqd6-2kq1-y7fu
1
vulnerability VCID-prw8-q89n-fkcp
2
vulnerability VCID-qpmp-qmsu-vufy
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@5.6.4
aliases CVE-2022-24790, GHSA-h99w-9q5r-gjq9
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y1y1-3d8u-yud7
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/puma@3.0.0