Lucene search

[email protected]CVE-2019-16770

HistoryDec 05, 2019 - 8:15 p.m.

CVE-2019-16770

2019-12-0520:15:10

CWE-770

[email protected]

web.nvd.nist.gov

157

puma

denial of service

vulnerability

keepalive

cve-2019-16770

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.5%

JSON

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma’s reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Affected configurations

Vulners

NVD

Node

pumapumaRange<4.3.1

VendorProductVersionCPE
pumapuma*cpe:2.3:a:puma:puma:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
puma	puma	*	cpe:2.3:a:puma:puma::::::::

CNA Affected

[
  {
    "product": "puma",
    "vendor": "puma",
    "versions": [
      {
        "lessThan": "4.3.1",
        "status": "affected",
        "version": "< 4.3.1",
        "versionType": "custom"
      }
    ]
  }
]