CVE-2024-21647 (High) detected in puma-4.3.0.gem

[mend-bolt-for-github[bot]]

CVE-2024-21647 - High Severity Vulnerability

Vulnerable Library - puma-4.3.0.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /ms/2.3.0/cache/puma-4.3.0.gem

Dependency Hierarchy: - :x: **puma-4.3.0.gem** (Vulnerable Library)

Found in HEAD commit: 160eff84448f7d5b197755b8956d5aad9019a13c

Found in base branch: master

Vulnerability Details

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

Publish Date: 2024-01-08

URL: CVE-2024-21647

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21647

Release Date: 2024-01-08

Fix Resolution: puma - 5.6.8,6.4.2

---

Step up your Open Source Security Game with Mend here