Home > Vulnerability Database > CVE-2022-23634

Mend.io Vulnerability Database

CVE-2022-23634

Good to know:

Date: February 11, 2022

Puma is a Ruby/Rack web server built for parallelism. Prior to "puma" version "5.6.2", "puma" may not always call "close" on the response body. Rails, prior to version "7.0.2.2", depended on the response body being closed in order for its "CurrentAttributes" implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Language: Ruby

Severity Score

8.0

Related Resources (20)

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml

Url: https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html

Url: https://security.gentoo.org/glsa/202208-28

Url: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1

Url: https://github.com/advisories/GHSA-wh98-p28r-vrc9

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/

Url: https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/

Url: https://security-tracker.debian.org/tracker/CVE-2022-23634

Url: https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G

Url: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

Url: https://www.debian.org/security/2022/dsa-5146

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-23634

Url: https://github.com/puma/puma

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB

Url: https://github.com/advisories/GHSA-rmj8-8hhh-gv5h

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5

Url: https://www.mend.io/vulnerability-database/CVE-2022-23634

Severity Score

8.0

Weakness Type (CWE)

Improper Resource Shutdown or Release

CWE-404

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version puma - 5.6.2;puma - 4.3.11

Learn More

CVSS v3.1

Base Score:	8.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-23634

Good to know:

Date: February 11, 2022

Language: Ruby

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?