CVE-2019-16770

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Published: Dec 5, 2019
Updated: May 9, 2024
CVE: CVE-2019-16770
GHSA: GHSA-7xx3-m584-x994
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
puma / puma	3.0.0	3.12.2
puma / puma	4.0.0	4.3.1
debian / debian_linux	9.0	9.0.x
puma	-	3.12.2
puma	4.0.0	4.3.1

https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html

Vulnerability Database

289,784

CVE-2019-16770