CVE-2019-16770 - OpenCVE

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Puma	Puma

Configuration 1 [-]

OR	cpe:2.3:a:puma:puma::::::ruby::*
	cpe:2.3:a:puma:puma::::::ruby::*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
https://nvd.nist.gov/vuln/detail/CVE-2019-16770
https://www.cve.org/CVERecord?id=CVE-2019-16770

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2019-12-05T19:35:14

Updated: 2024-08-05T01:24:48.578Z

Reserved: 2019-09-24T00:00:00

Link: CVE-2019-16770

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-12-05T20:15:10.093

Modified: 2022-10-08T02:42:22.527

Link: CVE-2019-16770

Redhat

Severity : Moderate

Publid Date: 2019-12-05T00:00:00Z

Links: CVE-2019-16770 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "puma", "vendor": "puma", "versions": [{"lessThan": "4.3.1", "status": "affected", "version": "< 4.3.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-26T00:06:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"}, {"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"}], "source": {"advisory": "GHSA-7xx3-m584-x994", "discovery": "UNKNOWN"}, "title": "Potential DOS attack in Puma", "workarounds": [{"lang": "en", "value": "Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16770", "STATE": "PUBLIC", "TITLE": "Potential DOS attack in Puma"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "puma", "version": {"version_data": [{"version_affected": "<", "version_name": "< 4.3.1", "version_value": "4.3.1"}]}}]}, "vendor_name": "puma"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}]}, "references": {"reference_data": [{"name": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994", "refsource": "CONFIRM", "url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"}, {"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"}]}, "source": {"advisory": "GHSA-7xx3-m584-x994", "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:48.578Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"}, {"name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16770", "datePublished": "2019-12-05T19:35:14", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2024-08-05T01:24:48.578Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "F07EBCE0-597F-4CC0-BD4F-93F97B05A684", "versionEndExcluding": "3.12.2", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "2E92BCF2-211F-4B03-AC15-4053953FB112", "versionEndExcluding": "4.3.1", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2."}, {"lang": "es", "value": "En Puma, anterior a las versiones 3.12.2 y 4.3.1, un cliente con mal comportamiento podr\u00eda utilizar solicitudes de keepalive para monopolizar el reactor de Puma y crear un ataque de denegaci\u00f3n de servicio. Si se abren m\u00e1s conexiones keepalive a Puma que hilos disponibles, las conexiones adicionales esperar\u00e1n permanentemente si el atacante env\u00eda solicitudes con la suficiente frecuencia. Esta vulnerabilidad est\u00e1 reparada en Puma 4.3.1 y 3.12.2."}], "id": "CVE-2019-16770", "lastModified": "2022-10-08T02:42:22.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2019-12-05T20:15:10.093", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "rubygem-puma: keepalive requests from poorly-behaved client leads to denial of service", "id": "1831297", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831297"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.", "A flaw was found in rubygem-puma. A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough."], "mitigation": {"lang": "en:us", "value": "Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool."}, "name": "CVE-2019-16770", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "impact": "low", "package_name": "rubygem-puma", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "rubygem-puma", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ror50-rubygem-puma", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-puma", "product_name": "Red Hat Storage 3"}], "public_date": "2019-12-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-16770\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16770\nhttps://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"], "statement": "Red Hat CloudForms uses affected RubyGem Puma, however, not vulnerable since after increasing multiple keepalive connections compare to threads available; additional connections have not waited long.\nRed Hat Gluster Storage Web Administration component uses affected RubyGem Puma.", "threat_severity": "Moderate", "upstream_fix": "rubygem-puma 4.3.1, rubygem-puma 3.12.2"}