Skip to main content

Puma

11 CVEs product

Monthly

CVE-2024-45614 Ruby MEDIUM PATCH This Month

Puma is a Ruby/Rack web server built for parallelism. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Nginx Puma
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2024-21647 Ruby MEDIUM PATCH This Month

Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma
NVD GitHub
CVSS 3.1
5.9
EPSS
2.5%
CVE-2023-40175 Ruby CRITICAL PATCH Act Now

Puma is a Ruby/Rack web server built for parallelism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-24790 Ruby HIGH PATCH This Week

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2021-41136 Ruby LOW PATCH Monitor

Puma is a HTTP 1.1 server for Ruby/Rack applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Apache Information Disclosure Puma Debian Linux
NVD GitHub
CVSS 3.1
3.7
EPSS
1.1%
CVE-2021-29509 Ruby HIGH PATCH This Week

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Apache Denial Of Service Puma Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-11077 Ruby HIGH PATCH This Week

In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Puma Fedora Debian Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
2.8%
CVE-2020-11076 Ruby HIGH PATCH This Week

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
4.0%
CVE-2020-5249 Ruby MEDIUM PATCH This Month

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

XSS Puma
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2020-5247 Ruby HIGH PATCH This Week

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Puma Ruby Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.5%
CVE-2019-16770 Ruby HIGH PATCH This Week

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Puma Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Puma is a Ruby/Rack web server built for parallelism. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Nginx Puma
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Puma is a Ruby/Rack web server built for parallelism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Puma +2
NVD GitHub
EPSS 1% CVSS 3.7
LOW PATCH Monitor

Puma is a HTTP 1.1 server for Ruby/Rack applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Apache Information Disclosure +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Apache Denial Of Service +2
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Puma +3
NVD GitHub
EPSS 4% CVSS 7.5
HIGH PATCH This Week

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Puma +2
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

XSS Puma
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Puma Ruby +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Puma Debian Linux
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy