CVE-2019-16770
Last modified
CVE-2019-16770 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. EPSS estimates a 1.93% chance of exploitation in the next 30 days.
Description
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Puma | Puma | >= 3.0.0, < 3.12.2 |
| Puma | Puma | >= 4.0.0, < 4.3.1 |
| Debian | Debian Linux | 9.0 |
References
- https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994Mitigation, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.htmlMailing List, Third Party Advisory
- https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994Mitigation, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.htmlMailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-16770?
How severe is CVE-2019-16770?
How do I fix CVE-2019-16770?
Are you affected by CVE-2019-16770?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST