PT-2022-7649 · Puma+8 · Puma+8

Nateberkopec

·

Published

2022-02-11

·

Updated

2026-03-13

·

CVE-2022-23634

CVSS v3.1

8.0

High

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Puma versions prior to 5.6.2 Puma version 4.3.11 Rails versions prior to 7.0.2.2 Rails versions prior to 6.1.4.6 Rails versions prior to 6.0.4.6 Rails versions prior to 5.2.6.2
Description The issue is related to information leakage due to Puma not always calling close on the response body and Rails depending on the response body being closed for its CurrentAttributes implementation to work correctly. This combination of behaviors causes information leakage. The problem can be exploited by an attacker to gain access to confidential information.
Recommendations For Puma versions prior to 5.6.2, upgrade to version 5.6.2 or 4.3.11. For Rails versions prior to 7.0.2.2, upgrade to version 7.0.2.2. For Rails versions prior to 6.1.4.6, upgrade to version 6.1.4.6. For Rails versions prior to 6.0.4.6, upgrade to version 6.0.4.6. For Rails versions prior to 5.2.6.2, upgrade to version 5.2.6.2. As a temporary workaround, consider using the provided middleware to guard against the issue.

Exploit

Fix

Improper Resource Release

Information Disclosure

Weakness Enumeration

CWE-404CWE-212CWE-200

Related Identifiers

ALSA-2025_16880
ALT-PU-2022-2028
ALT-PU-2022-2630
ALT-PU-2023-4268
ALT-PU-2023-4271
ALT-PU-2024-7814
ALT-PU-2024-7817
BDU:2024-07773
CVE-2022-23634
DLA-3023-1
DLA-3083-1
DSA-5146-1
GHSA-RMJ8-8HHH-GV5H
GHSA-WH98-P28R-VRC9
OESA-2024-1002
OESA-2024-1003
OESA-2024-1004
OESA-2024-1005
OESA-2024-1006
OESA-2024-1007
OPENSUSE-SU-2022_1515-1
OPENSUSE-SU-2024:11847-1
OPENSUSE-SU-2024:12900-1
OPENSUSE-SU-2024:13720-1
OPENSUSE-SU-2025:15123-1
OPENSUSE-SU-2026:10357-1
RHSA-2022:5498
RLSA-2022:5498
SUSE-SU-2022:1515-1
SUSE-SU-2022_1515-1
USN-6682-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Puma
Rails
Red Os
Rocky Linux
Suse
Ubuntu