Information disclosure in Puma
CVE-2022-23634
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its…
Vulnerability class: Information Disclosure
EPSS: 0.021 (79.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N.
Affected products
- Puma — versions >= 5.0.0, < 5.6.2, < 4.3.11
- Rubyonrails Rails
- Debian Debian_linux — versions 9.0, 10.0, 11.0
- Fedoraproject Fedora — versions 35, 36, 37
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Patch, Third Party Advisory)
- security-advisories@github.com (Patch, Third Party Advisory, x_refsource_MISC)
- security-advisories@github.com (Third Party Advisory, x_refsource_MISC)
- security-advisories@github.com (Third Party Advisory, x_refsource_MISC, Mitigation, Not Applicable)
- security-advisories@github.com (Patch, Mailing List, Third Party Advisory, x_refsource_MISC, Mitigation)
- security-advisories@github.com (vendor-advisory, Third Party Advisory, x_refsource_DEBIAN)
- security-advisories@github.com (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security-advisories@github.com (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)
- security-advisories@github.com (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security-advisories@github.com (x_refsource_FEDORA, vendor-advisory)
Frequently asked questions
- What is CVE-2022-23634?
- CVE-2022-23634 is a high-severity vulnerability in Puma, classified under Information Disclosure. CVSS score: 8.0/10. Published 2022-02-11.
- How severe is CVE-2022-23634?
- High severity. CVSS v3 base score is 8.0 out of 10.