CVE-2019-16770

Advisory lineage Upstream: 0 Downstream: 23

Downstream

DEBIAN-CVE-2019-16770 DLA-3023-1 OPENSUSE-SU-2020:1993-1 OPENSUSE-SU-2020:2000-1 OPENSUSE-SU-2024:10589-1 OPENSUSE-SU-2024:11830-1

Modified

Published: 05 Dec 2019, 19:35

Last modified:05 Aug 2024, 01:24

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

1.59% LOW

2% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

05 Dec 2019, 19:35

Published

Vulnerability first disclosed

05 Aug 2024, 01:24

Last Modified

Vulnerability information updated

Description

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 1.59%• Percentile: 82%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

debian•debian_linux
9.0
puma•puma
≥ 3.0.0, < 3.12.2 | ≥ 4.0.0, < 4.3.1 | ≥ < 4.3.1, < 4.3.1