csaf_suse - suse-su-2022:1515-1

suse-su-2022:1515-1

Vulnerability from csaf_suse

Published

2022-05-04 08:24

Modified

2022-05-04 08:24

Summary

Security update for rubygem-puma

Notes

Title of the patch

Security update for rubygem-puma

Description of the patch

This update for rubygem-puma fixes the following issues: rubygem-puma was updated to version 4.3.11: * CVE-2021-29509: Adjusted an incomplete fix for allows Denial of Service (DoS) (bsc#1188527) * CVE-2021-41136: Fixed request smuggling if HTTP header value contains the LF character (bsc#1191681) * CVE-2022-23634: Fixed information leak between requests (bsc#1196222)

Patchnames

SUSE-2022-1515,SUSE-SLE-Product-HA-15-2022-1515,SUSE-SLE-Product-HA-15-SP1-2022-1515,SUSE-SLE-Product-HA-15-SP2-2022-1515,SUSE-SLE-Product-HA-15-SP3-2022-1515,SUSE-SLE-Product-HA-15-SP4-2022-1515,openSUSE-SLE-15.3-2022-1515,openSUSE-SLE-15.4-2022-1515

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-puma",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-puma fixes the following issues:\n\nrubygem-puma was updated to version 4.3.11:\n\n* CVE-2021-29509: Adjusted an incomplete fix for  allows Denial of Service (DoS) (bsc#1188527)\n* CVE-2021-41136: Fixed request smuggling if HTTP header value contains the LF character (bsc#1191681)\n* CVE-2022-23634: Fixed information leak between requests (bsc#1196222)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2022-1515,SUSE-SLE-Product-HA-15-2022-1515,SUSE-SLE-Product-HA-15-SP1-2022-1515,SUSE-SLE-Product-HA-15-SP2-2022-1515,SUSE-SLE-Product-HA-15-SP3-2022-1515,SUSE-SLE-Product-HA-15-SP4-2022-1515,openSUSE-SLE-15.3-2022-1515,openSUSE-SLE-15.4-2022-1515",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_1515-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2022:1515-1",
        "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20221515-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2022:1515-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-May/010927.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1188527",
        "url": "https://bugzilla.suse.com/1188527"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1191681",
        "url": "https://bugzilla.suse.com/1191681"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1196222",
        "url": "https://bugzilla.suse.com/1196222"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-29509 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-29509/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41136 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41136/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23634 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23634/"
      }
    ],
    "title": "Security update for rubygem-puma",
    "tracking": {
      "current_release_date": "2022-05-04T08:24:51Z",
      "generator": {
        "date": "2022-05-04T08:24:51Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2022:1515-1",
      "initial_release_date": "2022-05-04T08:24:51Z",
      "revision_history": [
        {
          "date": "2022-05-04T08:24:51Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
                  "product_id": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
                  "product_id": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.i586",
                "product": {
                  "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.i586",
                  "product_id": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.i586",
                "product": {
                  "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.i586",
                  "product_id": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
                  "product_id": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
                  "product_id": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
                  "product_id": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
                  "product_id": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
                  "product_id": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
                  "product_id": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x as component of SUSE Linux Enterprise High Availability Extension 15",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-29509",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-29509"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-29509",
          "url": "https://www.suse.com/security/cve/CVE-2021-29509"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188527 for CVE-2021-29509",
          "url": "https://bugzilla.suse.com/1188527"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-05-04T08:24:51Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-29509"
    },
    {
      "cve": "CVE-2021-41136",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41136"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41136",
          "url": "https://www.suse.com/security/cve/CVE-2021-41136"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1191681 for CVE-2021-41136",
          "url": "https://bugzilla.suse.com/1191681"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-05-04T08:24:51Z",
          "details": "low"
        }
      ],
      "title": "CVE-2021-41136"
    },
    {
      "cve": "CVE-2022-23634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23634",
          "url": "https://www.suse.com/security/cve/CVE-2022-23634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196222 for CVE-2022-23634",
          "url": "https://bugzilla.suse.com/1196222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.3:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-4.3.11-150000.3.6.2.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-puma-doc-4.3.11-150000.3.6.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-05-04T08:24:51Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23634"
    }
  ]
}

CVE-2021-29509 (GCVE-0-2021-29509)

Vulnerability from cvelistv5

Published

2021-05-11 16:50

Modified

2024-08-03 22:11

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - {"":"Uncontrolled Resource Consumption"}

Summary

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.

References

►

URL

Tags

	https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5	x_refsource_CONFIRM
	https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837	x_refsource_MISC
	https://github.com/puma/puma/security/policy	x_refsource_MISC
	https://rubygems.org/gems/puma	x_refsource_MISC
	https://security.gentoo.org/glsa/202208-28	vendor-advisory, x_refsource_GENTOO
	https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	puma	puma	Version: < 4.3.8 Version: >= 5.0.0, < 5.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:11:05.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/security/policy"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rubygems.org/gems/puma"
          },
          {
            "name": "GLSA-202208-28",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-28"
          },
          {
            "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "puma",
          "vendor": "puma",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.3.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "{\"CWE-400\":\"Uncontrolled Resource Consumption\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-27T20:06:19",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/puma/puma/security/policy"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rubygems.org/gems/puma"
        },
        {
          "name": "GLSA-202208-28",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-28"
        },
        {
          "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
        }
      ],
      "source": {
        "advisory": "GHSA-q28m-8xjw-8vr5",
        "discovery": "UNKNOWN"
      },
      "title": "Keepalive Connections Causing Denial Of Service in puma",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29509",
          "STATE": "PUBLIC",
          "TITLE": "Keepalive Connections Causing Denial Of Service in puma"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "puma",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.3.8"
                          },
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "puma"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-400\":\"Uncontrolled Resource Consumption\"}"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5",
              "refsource": "CONFIRM",
              "url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"
            },
            {
              "name": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837",
              "refsource": "MISC",
              "url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"
            },
            {
              "name": "https://github.com/puma/puma/security/policy",
              "refsource": "MISC",
              "url": "https://github.com/puma/puma/security/policy"
            },
            {
              "name": "https://rubygems.org/gems/puma",
              "refsource": "MISC",
              "url": "https://rubygems.org/gems/puma"
            },
            {
              "name": "GLSA-202208-28",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-28"
            },
            {
              "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-q28m-8xjw-8vr5",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29509",
    "datePublished": "2021-05-11T16:50:11",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2024-08-03T22:11:05.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-41136 (GCVE-0-2021-41136)

Vulnerability from cvelistv5

Published

2021-10-12 15:30

Modified

2025-05-27 15:16

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Summary

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.

References

►

URL

Tags

	https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx	x_refsource_CONFIRM
	https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18	x_refsource_MISC
	https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f	x_refsource_MISC
	https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	puma	puma	Version: >= 5.0.0, < 5.5.1 Version: < 4.3.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.645Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f"
          },
          {
            "name": "DSA-5146",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5146"
          },
          {
            "name": "GLSA-202208-28",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-28"
          },
          {
            "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "puma",
          "vendor": "puma",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.5.1"
            },
            {
              "status": "affected",
              "version": "\u003c 4.3.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-27T15:16:10.431Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"
        },
        {
          "name": "https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18"
        },
        {
          "name": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f"
        },
        {
          "name": "https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139"
        }
      ],
      "source": {
        "advisory": "GHSA-48w2-rm65-62xx",
        "discovery": "UNKNOWN"
      },
      "title": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) in puma"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41136",
    "datePublished": "2021-10-12T15:30:11",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2025-05-27T15:16:10.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-23634 (GCVE-0-2022-23634)

Vulnerability from cvelistv5

Published

2022-02-11 21:40

Modified

2025-04-23 19:05

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

References

►

URL

Tags

	https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h	x_refsource_CONFIRM
	https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb	x_refsource_MISC
	https://github.com/advisories/GHSA-rmj8-8hhh-gv5h	x_refsource_MISC
	https://github.com/advisories/GHSA-wh98-p28r-vrc9	x_refsource_MISC
	https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1	x_refsource_MISC
	https://www.debian.org/security/2022/dsa-5146	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html	mailing-list, x_refsource_MLIST
	https://security.gentoo.org/glsa/202208-28	vendor-advisory, x_refsource_GENTOO
	https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	puma	puma	Version: >= 5.0.0, < 5.6.2 Version: < 4.3.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:45.584Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
          },
          {
            "name": "DSA-5146",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5146"
          },
          {
            "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
          },
          {
            "name": "GLSA-202208-28",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-28"
          },
          {
            "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
          },
          {
            "name": "FEDORA-2022-de968d1b6c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
          },
          {
            "name": "FEDORA-2022-52d0032596",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
          },
          {
            "name": "FEDORA-2022-7c8b29195f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:56:10.852401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:05:33.266Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "puma",
          "vendor": "puma",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.6.2"
            },
            {
              "status": "affected",
              "version": "\u003c 4.3.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-12T19:06:38.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
        },
        {
          "name": "DSA-5146",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5146"
        },
        {
          "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
        },
        {
          "name": "GLSA-202208-28",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-28"
        },
        {
          "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
        },
        {
          "name": "FEDORA-2022-de968d1b6c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
        },
        {
          "name": "FEDORA-2022-52d0032596",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
        },
        {
          "name": "FEDORA-2022-7c8b29195f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
        }
      ],
      "source": {
        "advisory": "GHSA-rmj8-8hhh-gv5h",
        "discovery": "UNKNOWN"
      },
      "title": "Information Exposure when using Puma with Rails",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23634",
          "STATE": "PUBLIC",
          "TITLE": "Information Exposure when using Puma with Rails"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "puma",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.6.2"
                          },
                          {
                            "version_value": "\u003c 4.3.11"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "puma"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails\u0027 Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h",
              "refsource": "CONFIRM",
              "url": "https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h"
            },
            {
              "name": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb",
              "refsource": "MISC",
              "url": "https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb"
            },
            {
              "name": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h",
              "refsource": "MISC",
              "url": "https://github.com/advisories/GHSA-rmj8-8hhh-gv5h"
            },
            {
              "name": "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
              "refsource": "MISC",
              "url": "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
            },
            {
              "name": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email\u0026utm_source=footer\u0026pli=1"
            },
            {
              "name": "DSA-5146",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5146"
            },
            {
              "name": "[debian-lts-announce] 20220525 [SECURITY] [DLA 3023-1] puma security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
            },
            {
              "name": "GLSA-202208-28",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-28"
            },
            {
              "name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
            },
            {
              "name": "FEDORA-2022-de968d1b6c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
            },
            {
              "name": "FEDORA-2022-52d0032596",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
            },
            {
              "name": "FEDORA-2022-7c8b29195f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-rmj8-8hhh-gv5h",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23634",
    "datePublished": "2022-02-11T21:40:11.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:05:33.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2022:1515-1

Vulnerability from csaf_suse

CVE-2021-29509 (GCVE-0-2021-29509)

Vulnerability from cvelistv5

CVE-2021-41136 (GCVE-0-2021-41136)

Vulnerability from cvelistv5

CVE-2022-23634 (GCVE-0-2022-23634)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature