Vulnerability Details CVE-2019-16770
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.4%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
Products affected by CVE-2019-16770
-
cpe:2.3:a:puma:puma:3.0.0
-
cpe:2.3:a:puma:puma:3.0.1
-
cpe:2.3:a:puma:puma:3.0.2
-
cpe:2.3:a:puma:puma:3.1.0
-
cpe:2.3:a:puma:puma:3.1.1
-
cpe:2.3:a:puma:puma:3.10.0
-
cpe:2.3:a:puma:puma:3.11.0
-
cpe:2.3:a:puma:puma:3.11.1
-
cpe:2.3:a:puma:puma:3.11.2
-
cpe:2.3:a:puma:puma:3.11.3
-
cpe:2.3:a:puma:puma:3.11.4
-
cpe:2.3:a:puma:puma:3.12.0
-
cpe:2.3:a:puma:puma:3.12.1
-
cpe:2.3:a:puma:puma:3.2.0
-
cpe:2.3:a:puma:puma:3.3.0
-
cpe:2.3:a:puma:puma:3.4.0
-
cpe:2.3:a:puma:puma:3.5.0
-
cpe:2.3:a:puma:puma:3.5.1
-
cpe:2.3:a:puma:puma:3.5.2
-
cpe:2.3:a:puma:puma:3.6.0
-
cpe:2.3:a:puma:puma:3.6.1
-
cpe:2.3:a:puma:puma:3.6.2
-
cpe:2.3:a:puma:puma:3.7.0
-
cpe:2.3:a:puma:puma:3.7.1
-
cpe:2.3:a:puma:puma:3.8.0
-
cpe:2.3:a:puma:puma:3.8.1
-
cpe:2.3:a:puma:puma:3.8.2
-
cpe:2.3:a:puma:puma:3.9.0
-
cpe:2.3:a:puma:puma:3.9.1
-
cpe:2.3:a:puma:puma:4.0.0
-
cpe:2.3:a:puma:puma:4.0.1
-
cpe:2.3:a:puma:puma:4.1.0
-
cpe:2.3:a:puma:puma:4.1.1
-
cpe:2.3:a:puma:puma:4.2.0
-
cpe:2.3:a:puma:puma:4.2.1
-
cpe:2.3:a:puma:puma:4.3.0
-
cpe:2.3:o:debian:debian_linux:9.0