Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-02-11T21:40:11
Updated: 2024-08-03T03:51:45.584Z
Reserved: 2022-01-19T00:00:00
Link: CVE-2022-23634
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-02-11T22:15:07.817
Modified: 2024-11-21T06:48:58.950
Link: CVE-2022-23634
Redhat