CVE-2022-23634

EPSS 0.48%
Veröffentlicht 11.02.2022 22:15:07
Zuletzt bearbeitet 21.11.2024 06:48:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Information Exposure when using Puma with Rails

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 15

NVD 12 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Puma ≫ Puma SwPlatformruby Version < 4.3.11

Puma ≫ Puma SwPlatformruby Version >= 5.0.0 < 5.6.2

Rubyonrails ≫ Rails Version >= 5.0.0 < 5.2.6.2

Rubyonrails ≫ Rails Version >= 6.0.0 < 6.0.4.6

Rubyonrails ≫ Rails Version >= 6.1.0 < 6.1.4.6

Rubyonrails ≫ Rails Version >= 7.0.0 < 7.0.2.2

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.652

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
security-advisories@github.com	8	1.6	5.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N