CVE-2022-23634Sensitive Information Exposure in Puma

CWE-200Sensitive Information ExposureCWE-404Improper Resource Shutdown or ReleaseCWE-359Exposure of Private Personal Information to an Unauthorized Actor9 documents7 sources
Severity
5.9MEDIUMNVD
CNA8.0
EPSS
0.4%
top 36.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PumaRubyonrails RailsDebian Linux+1 more
Timeline
PublishedFeb 11
Latest updateMar 7

Description

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

NVDrubyonrails/rails5.0.05.2.6.2+3
CVEListV5puma/puma< 4.3.11+1
NVDpuma/puma5.0.05.6.2+1
RubyGemspuma/puma5.0.05.6.2+1
Debianpuma/puma< 4.3.8-1+deb11u2+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 35, 36, 37

Patches

Patch: github.comPatch: github.comPatch: groups.google.com

🔴Vulnerability Details

5
OSV
puma vulnerabilities2024-03-07
OSV
Puma used with Rails may lead to Information Exposure2022-02-11
CVEList
Information Exposure when using Puma with Rails2022-02-11
OSV
CVE-2022-23634: Puma is a Ruby/Rack web server built for parallelism2022-02-11
GHSA
Puma used with Rails may lead to Information Exposure2022-02-11

📋Vendor Advisories

3
Ubuntu
Puma vulnerabilities2024-03-07
Red Hat
rubygem-puma: rubygem-rails: information leak between requests2022-02-11
Debian
CVE-2022-23634: puma - Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5...2022
CVE-2022-23634 — Sensitive Information Exposure in Puma | cvebase