CVE-2023-40175

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40175

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40175.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40175

Aliases

GHSA-68xg-gqqm-vgj8

Related

Published

2023-08-18T22:15:11Z

Modified

2024-09-11T05:00:21.794948Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / puma

Package

Name: puma
Purl: pkg:deb/debian/puma?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.8-1

4.3.8-1+deb11u1

4.3.8-1+deb11u2

5.*

5.2.2-1

5.2.2-2

5.3.2-1

5.3.2-2

5.3.2-3

5.5.2-1

5.5.2-2

5.6.4-1

5.6.5-1

5.6.5-2

5.6.5-3

5.6.5-4

5.6.7-1

6.*

6.0.2-1

6.4.0-1

6.4.0-2

6.4.0-3

6.4.0-4

6.4.2-1

6.4.2-2

6.4.2-3

6.4.2-4

6.4.2-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / puma

Package

Name: puma
Purl: pkg:deb/debian/puma?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.6.5-3

5.6.5-4

5.6.7-1

6.*

6.0.2-1

6.4.0-1

6.4.0-2

6.4.0-3

6.4.0-4

6.4.2-1

6.4.2-2

6.4.2-3

6.4.2-4

6.4.2-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / puma

Package

Name: puma
Purl: pkg:deb/debian/puma?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.7-1

Affected versions

5.*

5.6.5-3

5.6.5-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/puma/puma

Affected ranges

Type: GIT
Repo: https://github.com/puma/puma
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

690155e7d644b80eeef0a6094f9826ee41f1080a

Affected versions

Other

v1.*

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.4.0

v1.5.0

v1.6.2

v2.*

v2.0.0

v2.0.0.b2

v2.0.0.b3

v2.0.0.b4

v2.0.0.b5

v2.0.0.b6

v2.0.0.b7

v2.0.1

v2.1.0

v2.1.1

v2.10.0

v2.10.1

v2.10.2

v2.11.0

v2.11.2

v2.11.3

v2.12.0

v2.12.1

v2.12.2

v2.12.3

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.14.0

v2.15.0

v2.15.1

v2.15.2

v2.15.3

v2.16.0

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.7.0

v2.7.1

v2.8.1

v2.8.2

v2.9.0

v2.9.1

v2.9.2

v3.*

v3.0.0

v3.0.0.rc1

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.11.4

v3.12.0

v3.12.1

v3.2.0

v3.3.0

v3.4.0

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.7.1

v3.8.0

v3.9.0

v3.9.1

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.3.0

v5.*

v5.0.0

v5.0.0.beta1

v5.0.0.beta2

v5.0.1

v5.0.2

v5.0.3

v5.1.0

v5.2.0

v5.2.1

v5.2.2

v5.3.0

v5.3.1

v5.3.2

v5.4.0

v5.5.0

v5.5.1

v5.5.2

v5.6.0

v5.6.1

v5.6.3

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.1.0

v6.2.0

v6.2.1

v6.2.2

v6.3.0