In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2019-12-05T19:35:14
Updated: 2024-08-05T01:24:48.578Z
Reserved: 2019-09-24T00:00:00
Link: CVE-2019-16770
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-12-05T20:15:10.093
Modified: 2024-11-21T04:31:09.323
Link: CVE-2019-16770
Redhat