Search CVE reports


Toggle filters

1 – 10 of 12 results


CVE-2024-45614

Medium priority
Fixed

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For)....

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Fixed Fixed Fixed
Show less packages

CVE-2024-21647

Medium priority
Fixed

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Fixed Fixed Ignored Ignored
Show less packages

CVE-2023-40175

Medium priority
Fixed

Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Fixed Fixed Fixed Ignored Ignored
Show less packages

CVE-2022-24790

Medium priority

Some fixes available 2 of 4

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Fixed Fixed Ignored
Show less packages

CVE-2022-23634

Medium priority

Some fixes available 2 of 4

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Fixed Fixed Ignored
Show less packages

CVE-2021-41136

Medium priority
Ignored

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Not affected Ignored
Show less packages

CVE-2021-29509

Medium priority
Ignored

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Not affected Not in release Ignored
Show less packages

CVE-2020-11077

Medium priority

Some fixes available 1 of 5

In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Not affected Fixed Not in release Not in release
Show less packages

CVE-2020-11076

Medium priority

Some fixes available 1 of 5

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Not affected Fixed Not in release Not in release
Show less packages

CVE-2020-5249

Medium priority
Ignored

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as...

1 affected packages

puma

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
puma Not affected Not in release Not in release
Show less packages