CVE-2019-16770

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-16770

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16770.json

Aliases

GHSA-7xx3-m584-x994

Related

DLA-3023-1

Published

2019-12-05T20:15:10Z

Modified

2023-11-29T07:14:26.720166Z

Details

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

References

Affected packages

Git / github.com/puma/puma

Affected ranges

Type: GIT
Repo: https://github.com/puma/puma
Events: Introduced

f0762d1216c825009a5d3d0a13d1d3ec1ff95682

Introduced

f5d7600e4e4d9104803b5f0f5f596f8dc45fc191

Fixed

2986bc4ab5e03072d4c09739649c5c9221b13c8d

Affected versions

Other

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.11.4

v3.12.0

v3.12.1

v3.2.0

v3.3.0

v3.4.0

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.7.1

v3.8.0

v3.9.0

v3.9.1

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.3.0