CVE-2019-16770Allocation of Resources Without Limits or Throttling in Puma

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption16 documents7 sources
Severity
7.5HIGHNVD
CNA5.3
EPSS
1.6%
top 18.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PumaDebian PumaDebian Linux
Timeline
PublishedMay 11
Latest updateMay 18

Description

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` c

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5puma/puma< 4.3.1+2
NVDpuma/puma5.0.05.3.1+3
RubyGemspuma/puma5.0.05.3.1+3
debiandebian/puma< puma 4.3.8-1 (bookworm)+1
Debianpuma/puma< 3.12.0-4+7

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: gist.github.comPatch: github.comPatch: gist.github.com

🔴Vulnerability Details

8
OSV
Puma's Keepalive Connections Causing Denial Of Service2021-05-18
GHSA
Puma's Keepalive Connections Causing Denial Of Service2021-05-18
CVEList
Keepalive Connections Causing Denial Of Service in puma2021-05-11
OSV
CVE-2021-29509: Puma is a concurrent HTTP 12021-05-11
OSV
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack2019-12-05

📋Vendor Advisories

4
Red Hat
rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS)2021-05-11
Debian
CVE-2021-29509: puma - Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE...2021
Red Hat
rubygem-puma: keepalive requests from poorly-behaved client leads to denial of service2019-12-05
Debian
CVE-2019-16770: puma - In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keep...2019

💬Community

2
Bugzilla
CVE-2019-16770 rubygem-puma: puma: keepalive requests from poorly-behaved client leads to denial of service [fedora-all]2020-05-04
Bugzilla
CVE-2019-16770 rubygem-puma: keepalive requests from poorly-behaved client leads to denial of service2020-05-04