CVE-2019-16770

Published: Dic 05, 2019 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2019-0786 Aliases: GHSA-7xx3-m584-x994
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low
MEDIUM 5,0
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: none
Confidentiality: none
Integrity: none
Availability: partial

Description

AI Translation Available

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0159
Percentile
0,8th
Updated

EPSS Score Trend (Last 90 Days)

770

Allocation of Resources Without Limits or Throttling

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
Application

Puma by Puma

Product Information
Vendor Puma
Product Puma
Version Range Affected
From 4.0.0 (inclusive)
To 4.3.1 (exclusive)
cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Puma by Puma

Product Information
Vendor Puma
Product Puma
Version Range Affected
From 3.0.0 (inclusive)
To 3.12.2 (exclusive)
cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/puma/puma/security/advisories/GHSA-7xx3-…
Mitigation Third Party Advisory
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://lists.debian.org/debian-lts-announce/2022/05/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
https://github.com/puma/puma/security/advisories/GHSA-7xx3-…
Mitigation Third Party Advisory
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
https://lists.debian.org/debian-lts-announce/2022/05/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html