Vulnerability Name:

CVE-2022-24790 (CCN-223165)

Assigned:2022-03-30
Published:2022-03-30
Updated:2022-10-12
Summary:Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-444
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-24790

Source: XF
Type: UNKNOWN
puma-cve202224790-request-smuggling(223165)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5

Source: CCN
Type: Puma GIT Repository
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-7c8b29195f

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-52d0032596

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-de968d1b6c

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-28

Source: DEBIAN
Type: Third Party Advisory
DSA-5146

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2022-24790

Vulnerable Configuration:Configuration 1:
  • cpe:/a:puma:puma:*:*:*:*:*:ruby:*:* (Version < 4.3.12)
  • OR cpe:/a:puma:puma:*:*:*:*:*:ruby:*:* (Version >= 5.0.0 and < 5.6.4)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:37:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:puma:puma:4.3.11:*:*:*:*:ruby:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:631
    P
    		Security update for rubygem-puma (Important) (in QA)
    2022-09-28
    BACK
    puma puma *
    puma puma *
    debian debian linux 10.0
    debian debian linux 11.0
    fedoraproject fedora 35
    fedoraproject fedora 36
    fedoraproject fedora 37
    puma puma 4.3.11