CVE-2019-16770

MEDIUM

Puma 3.0.0-3.12.1 - Denial of Service via Keepalive Connection Monopolization

Title source: llm

Description

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

References (2)

Core 2

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html

Scores

CVSS v3 5.3

EPSS 0.0159

EPSS Percentile 81.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-770

Status published

Products (3)

debian/debian_linux 9.0

puma/puma 3.0.0 - 3.12.2

rubygems/puma 0 - 3.12.2RubyGems

Published Dec 05, 2019

Tracked Since Feb 18, 2026