Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-02-11T21:40:11

Updated: 2024-08-03T03:51:45.584Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23634

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-02-11T22:15:07.817

Modified: 2024-11-21T06:48:58.950

Link: CVE-2022-23634

cve-icon Redhat

Severity : Important

Publid Date: 2022-02-11T00:00:00Z

Links: CVE-2022-23634 - Bugzilla