rpm package
suse/rubygem-puma&distro=SUSE Linux Enterprise High Availability Extension 15 SP2
pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45614 | — | < 4.3.12-150000.3.15.1 | 4.3.12-150000.3.15.1 | Sep 19, 2024 | Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affect | ||
| CVE-2024-21647 | — | < 4.3.12-150000.3.15.1 | 4.3.12-150000.3.15.1 | Jan 8, 2024 | Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without | ||
| CVE-2023-40175 | — | < 4.3.12-150000.3.12.1 | 4.3.12-150000.3.12.1 | Aug 18, 2023 | Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is | ||
| CVE-2022-24790 | — | < 4.3.12-150000.3.9.1 | 4.3.12-150000.3.9.1 | Mar 30, 2022 | Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta | ||
| CVE-2022-23634 | — | < 4.3.11-150000.3.6.2 | 4.3.11-150000.3.6.2 | Feb 11, 2022 | Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to wor | ||
| CVE-2021-41136 | — | < 4.3.11-150000.3.6.2 | 4.3.11-150000.3.6.2 | Oct 12, 2021 | Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p | ||
| CVE-2021-29509 | — | < 4.3.11-150000.3.6.2 | 4.3.11-150000.3.6.2 | May 11, 2021 | Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threa | ||
| CVE-2020-11077 | — | < 4.3.5-3.3.1 | 4.3.5-3.3.1 | May 22, 2020 | In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis | ||
| CVE-2020-11076 | — | < 4.3.5-3.3.1 | 4.3.5-3.3.1 | May 22, 2020 | In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. |
- CVE-2024-45614Sep 19, 2024affected < 4.3.12-150000.3.15.1fixed 4.3.12-150000.3.15.1
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affect
- CVE-2024-21647Jan 8, 2024affected < 4.3.12-150000.3.15.1fixed 4.3.12-150000.3.15.1
Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without
- CVE-2023-40175Aug 18, 2023affected < 4.3.12-150000.3.12.1fixed 4.3.12-150000.3.12.1
Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is
- CVE-2022-24790Mar 30, 2022affected < 4.3.12-150000.3.9.1fixed 4.3.12-150000.3.9.1
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request sta
- CVE-2022-23634Feb 11, 2022affected < 4.3.11-150000.3.6.2fixed 4.3.11-150000.3.6.2
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to wor
- CVE-2021-41136Oct 12, 2021affected < 4.3.11-150000.3.6.2fixed 4.3.11-150000.3.6.2
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the p
- CVE-2021-29509May 11, 2021affected < 4.3.11-150000.3.6.2fixed 4.3.11-150000.3.6.2
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threa
- CVE-2020-11077May 22, 2020affected < 4.3.5-3.3.1fixed 4.3.5-3.3.1
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mis
- CVE-2020-11076May 22, 2020affected < 4.3.5-3.3.1fixed 4.3.5-3.3.1
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.