rpm package
opensuse/ruby3.2-rubygem-puma-5&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/ruby3.2-rubygem-puma-5&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-24790 | — | < 5.6.5-1.7 | 5.6.5-1.7 | Mar 30, 2022 | Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta | ||
| CVE-2021-41136 | — | < 5.6.5-1.7 | 5.6.5-1.7 | Oct 12, 2021 | Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p | ||
| CVE-2021-29509 | — | < 5.6.5-1.7 | 5.6.5-1.7 | May 11, 2021 | Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threa | ||
| CVE-2020-11076 | — | < 5.6.5-1.7 | 5.6.5-1.7 | May 22, 2020 | In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. | ||
| CVE-2019-16770 | — | < 5.6.5-1.7 | 5.6.5-1.7 | Dec 5, 2019 | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p |
- CVE-2022-24790Mar 30, 2022affected < 5.6.5-1.7fixed 5.6.5-1.7
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
- CVE-2021-41136Oct 12, 2021affected < 5.6.5-1.7fixed 5.6.5-1.7
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
- CVE-2021-29509May 11, 2021affected < 5.6.5-1.7fixed 5.6.5-1.7
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threa
- CVE-2020-11076May 22, 2020affected < 5.6.5-1.7fixed 5.6.5-1.7
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
- CVE-2019-16770Dec 5, 2019affected < 5.6.5-1.7fixed 5.6.5-1.7
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p