CVE-2019-16770

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-16770

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16770.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-16770

Aliases

GHSA-7xx3-m584-x994

Related

Published

2019-12-05T20:15:10Z

Modified

2024-09-11T04:28:41.115733Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

References

Affected packages

Debian:11 / puma

Package

Name: puma
Purl: pkg:deb/debian/puma?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / puma

Package

Name: puma
Purl: pkg:deb/debian/puma?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / puma

Package

Name: puma
Purl: pkg:deb/debian/puma?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/puma/puma

Affected ranges

Type: GIT
Repo: https://github.com/puma/puma
Events: Introduced

f5d7600e4e4d9104803b5f0f5f596f8dc45fc191

Fixed

2986bc4ab5e03072d4c09739649c5c9221b13c8d

Affected versions

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.3.0