CVE-2019-16770 — puma - security update

Description

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

How to fix CVE-2019-16770

To remediate CVE-2019-16770, upgrade the affected package to a fixed version below.

—upgrade to 3.12.0-4 or later
—upgrade to 3.6.0-1+deb9u2 or later
—upgrade to 3.12.2 or later

Is CVE-2019-16770 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.12.0-4
from 0, < 3.6.0-1+deb9u2
from 0, < 3.12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (6)

ADVISORYgithub.com/advisories/GHSA-7xx3-m584-x994
ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16770
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-16770
WEBgithub.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994