PT-2019-14826 · Ruby+1 · Puma+1

Nateberkopec

·

Publicado

2019-12-05

·

Atualizado

2026-03-13

·

CVE-2019-16770

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Puma versions prior to 3.12.2 Puma versions prior to 4.3.1
Description A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Recommendations For versions prior to 3.12.2, update to version 3.12.2 or later to resolve the issue. For versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider configuring reverse proxies in front of Puma to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

Exploit

Correção

DoS

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770

Identificadores relacionados

CVE-2019-16770
DLA-3023-1
GHSA-7XX3-M584-X994
OPENSUSE-SU-2020:1993-1
OPENSUSE-SU-2020:2000-1
OPENSUSE-SU-2020_1993-1
OPENSUSE-SU-2020_2000-1
OPENSUSE-SU-2024:10589-1
OPENSUSE-SU-2024:11342-1
OPENSUSE-SU-2024:11343-1
OPENSUSE-SU-2024:11830-1
OPENSUSE-SU-2024:11847-1
OPENSUSE-SU-2024:12592-1
OPENSUSE-SU-2024:12900-1
OPENSUSE-SU-2024:13166-1
OPENSUSE-SU-2024:13720-1
OPENSUSE-SU-2024:13721-1
OPENSUSE-SU-2025:15123-1
OPENSUSE-SU-2026:10357-1
SUSE-SU-2020:0081-1
SUSE-SU-2020:0311-1
SUSE-SU-2020:0640-1
SUSE-SU-2020:0642-1
SUSE-SU-2020:2060-1
SUSE-SU-2020:3036-1
SUSE-SU-2020:3147-1
SUSE-SU-2020:3160-1

Produtos afetados

Puma
Suse