HTTP Request Smuggling in puma
CVE-2022-24790

9.1CRITICAL

Key Information:

Vendor

Puma

Status
Puma
Vendor
CVE Published:
30 March 2022

What is CVE-2022-24790?

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

Affected Version(s)

puma < 4.3.12 < 4.3.12

puma >= 5.0.0, < 5.6.4 < 5.0.0, 5.6.4

References

https://github.com/puma/puma/security/advisories/GHSA-h99...
x_refsource_CONFIRM
https://github.com/puma/puma/commit/5bb7d202e24dec00a898d...
x_refsource_MISC
https://www.debian.org/security/2022/dsa-5146
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.