Lucene search

Veracode Vulnerability DatabaseVERACODE:42888

HistoryAug 22, 2023 - 2:17 p.m.

HTTP Request Smuggling

2023-08-2214:17:09

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

puma

vulnerability

http request smuggling

zero-length content-length

chunked transfer encoding

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

65.2%

JSON

puma is vulnerable to HTTP Request Smuggling. The vulnerability exists due to processing zero-length content-Length headers and chunked transfer encoding bodies in client.rb, allowing an attacker to smuggle HTTP requests.

CPENameOperatorVersion
pumale5.6.6
pumale6.3.0
pumale5.6.6
pumale6.3.0
puma:sideq4.3.6-1+b1
puma:sideq4.3.6-1

Name	Operator	Version
puma	le	5.6.6
puma	le	6.3.0
puma	le	5.6.6
puma	le	6.3.0
puma:sid	eq	4.3.6-1+b1
puma:sid	eq	4.3.6-1

References

github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a

github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662

github.com/puma/puma/commit/ed0f2f94b56982c687452504b95d5f1fbbe3eed1

github.com/puma/puma/releases/tag/v5.6.7

github.com/puma/puma/releases/tag/v6.3.1

github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8

github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

65.2%

JSON

Related for VERACODE:42888