puma puma CVE-2022-23634 vulnerability in Puma and Other Products
Published on February 11, 2022

Information Exposure when using Puma with Rails

product logo product logo product logo product logo product logo
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-23634 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2022-23634 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2022-23634

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-23634 are published in these products:

Puma
 
Ruby on Rails Rails
 
Debian Linux
 
Fedora Project Fedora
 
Canonical Ubuntu Linux
 

Affected Versions

puma:

Exploit Probability

EPSS
0.44%
Percentile
62.94%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.