CVE-2019-16770 (High) detected in puma-3.12.1.gem

[mend-bolt-for-github[bot]]

CVE-2019-16770 - High Severity Vulnerability

Vulnerable Library - puma-3.12.1.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-3.12.1.gem

Dependency Hierarchy: - :x: **puma-3.12.1.gem** (Vulnerable Library)

Found in HEAD commit: 0cc6845b68c9648d6cc64293d4276d9e63d3123e

Vulnerability Details

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Publish Date: 2019-12-05

URL: CVE-2019-16770

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16770

Release Date: 2019-12-05

Fix Resolution: v4.3.1

---

Step up your Open Source Security Game with WhiteSource here