Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4eDMtbTU4NC14OTk0
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack
Keepalive thread overload/DoS
Impact
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.
If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Patches
This vulnerability is patched in Puma 4.3.1 and 3.12.2.
Workarounds
Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.
For more information
If you have any questions or comments about this advisory:
- Open an issue at puma.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4eDMtbTU4NC14OTk0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-7xx3-m584-x994, CVE-2019-16770
References:
- https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
- https://nvd.nist.gov/vuln/detail/CVE-2019-16770
- https://github.com/advisories/GHSA-7xx3-m584-x994
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml
Blast Radius: 29.7
Affected Packages
rubygems:puma
Dependent packages: 653Dependent repositories: 404,320
Downloads: 407,176,256 total
Affected Version Ranges: >= 4.0.0, < 4.3.1, < 3.12.2
Fixed in: 4.3.1, 3.12.2
All affected versions: 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.14.0, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.12.0, 3.12.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0
All unaffected versions: 3.12.2, 3.12.4, 3.12.5, 3.12.6, 4.3.1, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.3.12, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.6.0, 5.6.1, 5.6.2, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.4.3