icon

We found results for “

CVE-2022-23634

Good to know:

icon

Date: February 11, 2022

Puma is a Ruby/Rack web server built for parallelism. Prior to "puma" version "5.6.2", "puma" may not always call "close" on the response body. Rails, prior to version "7.0.2.2", depended on the response body being closed in order for its "CurrentAttributes" implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Language: Ruby

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Improper Resource Shutdown or Release

CWE-404

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version puma - 5.6.2;puma - 4.3.11

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us