CVE-2022-23634
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-23634
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23634.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-23634
- Aliases
- Related
- Published
- 2022-02-11T22:15:07Z
- Modified
- 2024-09-11T04:43:01.204426Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Puma is a Ruby/Rack web server built for parallelism. Prior to
pumaversion5.6.2,pumamay not always callcloseon the response body. Rails, prior to version7.0.2.2, depended on the response body being closed in order for itsCurrentAttributesimplementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability. - References
-
- https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
- https://github.com/advisories/GHSA-wh98-p28r-vrc9
- https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
- https://security.gentoo.org/glsa/202208-28
- https://www.debian.org/security/2022/dsa-5146
- https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://security-tracker.debian.org/tracker/CVE-2022-23634
Affected packages
Debian:11 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:12 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Debian:13 / puma
Package
- Name
- puma
- Purl
- pkg:deb/debian/puma?arch=source
Git / github.com/puma/puma
Affected ranges
- Type
- GIT
- Repo
- https://github.com/puma/puma
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/rails/rails
- Events
Affected versions
Other
rm
v1.*
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.6.2
v2.*
v2.0.0
v2.0.0.b2
v2.0.0.b3
v2.0.0.b4
v2.0.0.b5
v2.0.0.b6
v2.0.0.b7
v2.0.1
v2.1.0
v2.1.1
v2.10.0
v2.10.1
v2.10.2
v2.11.0
v2.11.2
v2.11.3
v2.12.0
v2.12.1
v2.12.2
v2.12.3
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.14.0
v2.15.0
v2.15.1
v2.15.2
v2.15.3
v2.16.0
v2.2.0
v2.2.1
v2.2.2
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.6.0
v2.7.0
v2.7.1
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.0.0.rc1
v3.0.1
v3.0.2
v3.1.0
v3.1.1
v3.10.0
v3.11.0
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0
v3.12.1
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.7.1
v3.8.0
v3.9.0
v3.9.1
v4.*
v4.0.0
v4.0.1
v4.1.0
v4.2.0
v4.2.1
v4.3.0
v5.*
v5.0.0
v5.0.0.beta1
v5.0.0.beta2
v5.0.1
v5.0.2
v5.0.3
v5.1.0
v5.2.0
v5.2.1
v5.2.2
v5.3.0
v5.3.1
v5.3.2
v5.4.0
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.6.1