| CVE-2022-24790 |
high |
— |
8.0 |
|
|
|
4y ago |
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the … |
| CVE-2022-23634 |
medium |
— |
5.5 |
|
|
|
4y ago |
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the resp… |
| CVE-2021-41136 |
medium |
— |
5.5 |
|
|
|
5y ago |
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP re… |
| CVE-2024-45614 |
unknown |
— |
— |
|
|
|
2y ago |
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the … |
| CVE-2024-21647 |
unknown |
— |
— |
|
|
|
2y ago |
Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HT… |
| CVE-2023-40175 |
unknown |
— |
— |
|
|
|
3y ago |
Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length… |
| CVE-2021-29509 |
unknown |
— |
— |
|
|
|
5y ago |
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from ha… |
| CVE-2020-11077 |
unknown |
— |
— |
|
|
|
6y ago |
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connecti… |
| CVE-2020-11076 |
unknown |
— |
— |
|
|
|
6y ago |
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. |
| CVE-2020-5249 |
unknown |
— |
— |
|
|
|
6y ago |
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject m… |
| CVE-2020-5247 |
unknown |
— |
— |
|
|
|
6y ago |
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to en… |
| CVE-2019-16770 |
unknown |
— |
— |
|
|
|
7y ago |
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Pum… |