CVE-2022-23634

 

Published at: - 11-02-2022 11:15

Last modified: - 12-10-2022 03:17

Total changes: - 10

Description

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
• https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
• https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
• https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
• https://github.com/advisories/GHSA-wh98-p28r-vrc9
• DSA-5146-Third Party Advisory
• [debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update-Mailing List, Third Party Advisory
• GLSA-202208-28-Third Party Advisory
• [debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update-Mailing List, Third Party Advisory
• FEDORA-2022-de968d1b6c-Mailing List, Third Party Advisory
• FEDORA-2022-52d0032596-Mailing List, Third Party Advisory
• FEDORA-2022-7c8b29195f-Mailing List, Third Party Advisory

 

Keywords

NVD

 

CVE-2022-23634

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures