{"containers": {"cna": {"affected": [{"product": "puma", "vendor": "puma", "versions": [{"status": "affected", "version": "< 4.3.8"}, {"status": "affected", "version": ">= 5.0.0, < 5.3.1"}]}], "descriptions": [{"lang": "en", "value": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "{\"CWE-400\":\"Uncontrolled Resource Consumption\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-27T20:06:19", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/puma/puma/security/policy"}, {"tags": ["x_refsource_MISC"], "url": "https://rubygems.org/gems/puma"}, {"name": "GLSA-202208-28", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-28"}, {"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}], "source": {"advisory": "GHSA-q28m-8xjw-8vr5", "discovery": "UNKNOWN"}, "title": "Keepalive Connections Causing Denial Of Service in puma", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29509", "STATE": "PUBLIC", "TITLE": "Keepalive Connections Causing Denial Of Service in puma"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "puma", "version": {"version_data": [{"version_value": "< 4.3.8"}, {"version_value": ">= 5.0.0, < 5.3.1"}]}}]}, "vendor_name": "puma"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-400\":\"Uncontrolled Resource Consumption\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5", "refsource": "CONFIRM", "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"}, {"name": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837", "refsource": "MISC", "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"}, {"name": "https://github.com/puma/puma/security/policy", "refsource": "MISC", "url": "https://github.com/puma/puma/security/policy"}, {"name": "https://rubygems.org/gems/puma", "refsource": "MISC", "url": "https://rubygems.org/gems/puma"}, {"name": "GLSA-202208-28", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-28"}, {"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}]}, "source": {"advisory": "GHSA-q28m-8xjw-8vr5", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:11:05.438Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/puma/puma/security/policy"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rubygems.org/gems/puma"}, {"name": "GLSA-202208-28", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-28"}, {"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29509", "datePublished": "2021-05-11T16:50:11", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:11:05.438Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "6615E4AB-9A83-493C-81D1-327943F967B1", "versionEndExcluding": "4.3.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "8C9744B0-7CD1-4B9A-ACE6-7A6199F24FD5", "versionEndExcluding": "5.3.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma."}, {"lang": "es", "value": "Puma es un servidor HTTP versi\u00f3n 1.1 concurrente para aplicaciones Ruby/Rack.&#xa0;La soluci\u00f3n para CVE-2019-16770 estaba incompleta.&#xa0;La correcci\u00f3n original solo proteg\u00eda las conexiones existentes que ya hab\u00edan sido aceptadas para evitar que sus peticiones se vieran muertas por conexiones persistentes codiciosas que saturaban todos los hilos en el mismo proceso.&#xa0;Sin embargo, es posible que las conexiones persistentes codiciosas sigan privando a las nuevas conexiones que saturan todos los subprocesos en todos los procesos del cl\u00faster.&#xa0;Un servidor \"puma\" que recibiera m\u00e1s conexiones \"keep-alive\" simult\u00e1neas de las que el servidor ten\u00eda subprocesos en su grupo de subprocesos dar\u00eda servicio s\u00f3lo a un subconjunto de conexiones, negando el servicio a las conexiones no atendidas.&#xa0;Este problema se ha solucionado en \"puma\" versiones 4.3.8 y 5.3.1.&#xa0;La configuraci\u00f3n de \"queue_requests false\" tambi\u00e9n soluciona el problema.&#xa0;Esto no se recomienda cuando se usa \"puma\" sin un proxy inverso, como \"nginx\" o \"apache\",&#xa0;porque te expondr\u00e1s a ataques lentos de clientes (por ejemplo, slowloris).&#xa0;La soluci\u00f3n es muy peque\u00f1a y hay un parche de git disponible para aquellos que usan versiones no compatibles de Puma"}], "id": "CVE-2021-29509", "lastModified": "2022-10-27T12:39:50.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-05-11T17:15:07.627", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/puma/puma/security/policy"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://rubygems.org/gems/puma"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-28"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite:6.10::el7", "package": "tfm-rubygem-puma-0:5.3.2-1.el7sat", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}], "bugzilla": {"description": "rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS)", "id": "1964874", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964874"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.", "A flaw was found in rubygem-puma. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections."], "name": "CVE-2021-29509", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "rubygem-puma", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-amp-backend", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-amp-zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-puma", "product_name": "Red Hat Storage 3"}], "public_date": "2021-05-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-29509\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-29509\nhttps://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"], "statement": "Red Hat CloudForms 5.0 (CFME 5.11) is in the maintenance support phase and we are no longer fixing Medium/Low severity security bugs. Reference: https://access.redhat.com/support/policy/updates/cloudforms", "threat_severity": "Moderate", "upstream_fix": "puma 4.3.8, puma 5.3.1"}