CVE-2022-24790: HTTP Request Smuggling in puma
First published: Wed Mar 30 2022(Updated: )
A HTTP request smuggling flaw was found in puma. This issue occurs when using puma behind a proxy. Puma does not validate incoming HTTP requests, as per RFC specification, leading to loss of integrity.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rubygem-puma | <0:4.3.12-1.el7 | 0:4.3.12-1.el7 |
| redhat/tfm-rubygem-puma | <0:4.3.12-1.el7 | 0:4.3.12-1.el7 |
| Puma Puma | <4.3.12 | |
| Puma Puma | >=5.0.0<5.6.4 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| redhat/puma | <5.6.4 | 5.6.4 |
| redhat/puma | <4.3.12 | 4.3.12 |
| ubuntu/puma | <3.12.4-1ubuntu2+ | 3.12.4-1ubuntu2+ |
| ubuntu/puma | <5.5.2-2ubuntu2+ | 5.5.2-2ubuntu2+ |
| debian/puma | <=3.12.0-2+deb10u2<=4.3.8-1 | 3.12.0-2+deb10u3 4.3.8-1+deb11u2 5.6.5-3 6.4.2-4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-24790 https://nvd.nist.gov/vuln/detail/CVE-2022-24790
- https://bugzilla.redhat.com/show_bug.cgi?id=2071616
- https://access.redhat.com/errata/RHSA-2023:1486
- https://access.redhat.com/errata/RHSA-2022:8532
- https://access.redhat.com/security/cve/cve-2022-24790
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://security.gentoo.org/glsa/202208-28
- https://www.debian.org/security/2022/dsa-5146
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2071623
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2071624
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2071625
- https://src.fedoraproject.org/rpms/rubygem-puma
- https://rubygems.org/gems/puma
- https://launchpad.net/bugs/cve/CVE-2022-24790
- https://github.com/puma/puma/commit/6c514e70f5ae0ff14c9b0091fa84bfa39b022025
- https://security-tracker.debian.org/tracker/CVE-2022-24790
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://ubuntu.com/security/notices/USN-6682-1
- https://www.cve.org/CVERecord?id=CVE-2022-24790
- https://nvd.nist.gov/vuln/detail/CVE-2022-24790
- https://ubuntu.com/security/CVE-2022-24790
Frequently Asked Questions
What is CVE-2022-24790?
CVE-2022-24790 is a HTTP request smuggling flaw found in Puma, a multi-threaded HTTP server for Ruby/Rack applications.
How severe is CVE-2022-24790?
CVE-2022-24790 has a severity rating of 7.5 (Critical).
What is the affected software?
The affected software includes Puma versions up to and including 5.6.4 and Rubygem Puma up to and including version 4.3.12.
How can I fix CVE-2022-24790?
To fix CVE-2022-24790, update to Puma version 5.6.5 or higher, or Rubygem Puma version 4.3.13 or higher.
Where can I find more information about CVE-2022-24790?
More information about CVE-2022-24790 can be found at the following references: [GitHub Commit](https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5), [GitHub Security Advisory](https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2071623).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-24790
- agent/software-canonical-lookup
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/tags
- agent/event
- package-manager/redhat
- vendor/puma
- canonical/puma puma
- version/puma puma/5.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- package-manager/debian
- package-manager/ubuntu