Plateforme
ruby
Composant
puma
Corrigé dans
3.12.2
4.3.1
3.12.2
CVE-2019-16770 describes a Denial of Service (DoS) vulnerability in the Puma web server. An attacker can exploit this flaw by sending a large number of keepalive requests, potentially overwhelming Puma's reactor and preventing legitimate requests from being processed. This vulnerability affects versions of Puma up to and including 3.9.1, and patches are available in Puma 4.3.1 and 3.12.2.
The primary impact of CVE-2019-16770 is a denial of service. A successful attack can render the Puma web server unresponsive, preventing users from accessing the applications it serves. This can lead to significant disruption of service and potential financial losses. The vulnerability stems from Puma's handling of keepalive connections; if an attacker can open more keepalive connections than Puma has available threads, subsequent connections will be queued indefinitely, effectively starving the server. This is similar to resource exhaustion attacks seen in other web servers, where an attacker attempts to exhaust available resources to cause a crash or outage.
CVE-2019-16770 was published on December 5, 2019. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of the current date. The EPSS (Exploit Prediction Score System) score is likely low, reflecting the lack of public exploits and the relatively simple nature of the attack. No public proof-of-concept (POC) code has been widely reported.
Statut de l'Exploit
EPSS
1.59% (percentile 82%)
Vecteur CVSS
The recommended mitigation for CVE-2019-16770 is to upgrade to Puma version 4.3.1 or 3.12.2, which contain the fix. If upgrading is not immediately feasible, a workaround involves configuring a reverse proxy (e.g., Nginx, Apache) in front of Puma to limit the number of keepalive connections allowed to the Puma cluster or process. The limit should be set to a value less than the number of threads Puma is configured to use. For example, if Puma has 10 threads, the reverse proxy should be configured to allow a maximum of 9 keepalive connections. After upgrading, confirm the fix by sending a high volume of keepalive requests to the Puma server and verifying that it remains responsive.
Actualice la gema Puma a la versión 4.3.1 o superior, o a la versión 3.12.2 o superior. Esto solucionará la vulnerabilidad de denegación de servicio causada por clientes maliciosos que monopolizan el reactor de Puma con solicitudes keepalive. Ejecute `gem update puma` para actualizar.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2019-16770 is a Denial of Service vulnerability in Puma versions up to 3.9.1. A malicious client can overwhelm Puma's reactor with keepalive requests, causing a denial of service.
You are affected if you are running Puma version 3.9.1 or earlier. Check your Puma version using puma -v.
Upgrade to Puma version 4.3.1 or 3.12.2. As a temporary workaround, configure a reverse proxy to limit keepalive connections.
There is currently no evidence of CVE-2019-16770 being actively exploited in the wild.
Refer to the Puma security advisory for details: https://github.com/puma/puma/security/advisories/GHSA-5g43-x455-744g
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Gemfile.lock et nous te dirons instantanément si tu es affecté.