{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21647", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.366Z", "datePublished": "2024-01-08T13:45:27.510Z", "dateUpdated": "2024-08-01T22:27:36.196Z"}, "containers": {"cna": {"title": "HTTP Request/Response Smuggling in puma", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2"}, {"name": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93", "tags": ["x_refsource_MISC"], "url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93"}], "affected": [{"vendor": "puma", "product": "puma", "versions": [{"version": "< 5.6.8", "status": "affected"}, {"version": ">= 6.0.0, < 6.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T13:45:27.510Z"}, "descriptions": [{"lang": "en", "value": "Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.\n\n"}], "source": {"advisory": "GHSA-c2f4-cvqm-65w2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.196Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2"}, {"name": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "A4C4E799-9F02-4DF4-A3C3-8A7DA1B86BFE", "versionEndExcluding": "5.6.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "9729F4C2-7642-400E-B88A-154E29A8CA2C", "versionEndExcluding": "6.4.2", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.\n\n"}, {"lang": "es", "value": "Puma es un servidor web para aplicaciones Ruby/Rack creado para el paralelismo. Antes de la versi\u00f3n 6.4.2, Puma exhib\u00eda un comportamiento incorrecto al analizar cuerpos de codificaci\u00f3n de transferencia fragmentados de una manera que permit\u00eda el contrabando de solicitudes HTTP. Las versiones fijas limitan el tama\u00f1o de las extensiones de fragmentos. Sin este l\u00edmite, un atacante podr\u00eda provocar un consumo ilimitado de recursos (CPU, ancho de banda de red). Esta vulnerabilidad se ha solucionado en las versiones 6.4.2 y 5.6.8."}], "id": "CVE-2024-21647", "lastModified": "2024-11-21T08:54:47.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-08T14:15:47.640", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2010", "cpe": "cpe:/a:redhat:satellite:6.15::el8", "package": "rubygem-puma-0:6.4.2-1.el8sat", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-04-23T00:00:00Z"}], "bugzilla": {"description": "rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies", "id": "2257340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257340"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-444", "details": ["Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.", "A flaw was found in Puma rubygem. Versions prior 6.4.2 are susceptible to a HTTP smuggling attack when parsing chunked transfer encoding bodies on HTTP messages, which don't limit the size of the message chunk extensions. This issue may lead to uncontrolled resource consumption, possibly resulting in a denial of service of the attacked server."], "name": "CVE-2024-21647", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-puma", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-puma", "product_name": "Red Hat Storage 3"}], "public_date": "2024-01-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21647\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21647\nhttps://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2"], "statement": "For Red Hat Satellite the affected version of the package tfm-rubygem-puma applies to EL7 only, which means it only applies to Satellite 6.11 on RHEL 7 which is currently out of support.", "threat_severity": "Important", "upstream_fix": "puma 6.4.2, puma 5.6.8"}