Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-21647

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

Published

2024-01-08T14:15:47.640

Last Modified

2024-11-21T08:54:47.780

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

Weaknesses

Type: Primary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	puma	puma	< 5.6.8	Yes
Application	puma	puma	< 6.4.2	Yes

References

https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93 Patch ([email protected])
https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 Vendor Advisory ([email protected])
https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)