Vulnerability Description
Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Puma | Puma | < 5.6.8 |
Related Weaknesses (CWE)
References
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93Patch
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2Vendor Advisory
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93Patch
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
FAQ
What is CVE-2024-21647?
CVE-2024-21647 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTT...
How severe is CVE-2024-21647?
CVE-2024-21647 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21647?
Check the references section above for vendor advisories and patch information. Affected products include: Puma Puma.