Security Advisories

CGA-3h34-wg2f-6fhg

Published

Last updated

https://images.chainguard.dev/security/CGA-3h34-wg2f-6fhg

Package

ruby3.2-puma

Latest Update

Fixed

Fixed Version

6.4.2-r0

Aliases

CVE-2024-21647
GHSA-c2f4-cvqm-65w2

Severity

5.9

Medium

CVSS V3

Summary

Puma HTTP Request/Response Smuggling vulnerability

Description

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

HTTP Request Smuggling
Open an issue in Puma
See our security policy

References

https://nvd.nist.gov/vuln/detail/CVE-2024-21647
https://github.com/advisories/GHSA-c2f4-cvqm-65w2
https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
https://github.com/puma/puma
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-3h34-wg2f-6fhg

Severity

Summary

Description

Impact

Patches

Workarounds

References

References

Updates

Product

Why Chainguard

Customers

Company

Resources