CVE-2021-29509 — Uncontrolled Resource Consumption in Puma

CWE-400 — Uncontrolled Resource Consumption6 documents5 sources

Severity

7.5HIGHNVD

EPSS

1.4%

top 19.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puma Debian Puma Debian Linux

Timeline

PublishedMay 11

Latest updateMay 18

Description

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDpuma/puma5.0.0 — 5.3.1+1

▶RubyGemspuma/puma5.0.0 — 5.3.1+1

▶debiandebian/puma< puma 4.3.8-1 (bookworm)

▶Debianpuma/puma< 4.3.8-1+3

Also affects: Debian Linux 10.0

Patches

Patch: gist.github.com ↗Patch: github.com ↗Patch: gist.github.com ↗

🔴Vulnerability Details

OSV

Puma's Keepalive Connections Causing Denial Of Service↗2021-05-18

▶

GHSA

Puma's Keepalive Connections Causing Denial Of Service↗2021-05-18

▶

OSV

CVE-2021-29509: Puma is a concurrent HTTP 1↗2021-05-11

▶

📋Vendor Advisories

Red Hat

rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS)↗2021-05-11

▶

Debian

CVE-2021-29509: puma - Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE...↗2021

▶