In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2019-12-05T19:35:14

Updated: 2024-08-05T01:24:48.578Z

Reserved: 2019-09-24T00:00:00

Link: CVE-2019-16770

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-12-05T20:15:10.093

Modified: 2024-11-21T04:31:09.323

Link: CVE-2019-16770

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-12-05T00:00:00Z

Links: CVE-2019-16770 - Bugzilla