Home > Vulnerability Database > CVE-2024-21647

Mend.io Vulnerability Database

CVE-2024-21647

Good to know:

Date: January 8, 2024

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

Language: Ruby

Severity Score

5.9

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21647

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml

Url: https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7

Url: https://github.com/puma/puma

Url: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2

Url: https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93

Url: https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d

Url: https://www.mend.io/vulnerability-database/CVE-2024-21647

Severity Score

5.9

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-444

Top Fix

Upgrade Version

Upgrade to version puma - 5.6.8,6.4.2

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21647

Good to know:

Date: January 8, 2024

Language: Ruby

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?