CVE-2022-23634

Summary

CVE	CVE-2022-23634
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-02-11 22:15:00 UTC
Updated	2023-11-07 03:44:00 UTC
Description	Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

Risk And Classification

Problem Types: CWE-404

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Application	Puma	Puma	All	All	All	All
Application	Rubyonrails	Rails	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 37 Update: rubygem-puma-5.6.5-1.fc37 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Puma: Multiple Vulnerabilities (GLSA 202208-28) — Gentoo security	GENTOO	security.gentoo.org
Information Exposure with Puma when used with Rails · CVE-2022-23634 · GitHub Advisory Database · GitHub	MISC	github.com
[SECURITY] Fedora 36 Update: rubygem-puma-5.5.2-3.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] [DLA 3083-1] puma security update	MLIST	lists.debian.org
[SECURITY] [DLA 3023-1] puma security update	MLIST	lists.debian.org
[SECURITY] Fedora 35 Update: rubygem-puma-4.3.6-5.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Possible exposure of information vulnerability in Action Pack · CVE-2022-23633 · GitHub Advisory Database · GitHub	MISC	github.com
Information Exposure with Puma and Rails · Advisory · puma/puma · GitHub	CONFIRM	github.com
[SECURITY] Fedora 35 Update: rubygem-puma-4.3.6-5.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 36 Update: rubygem-puma-5.5.2-3.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Ensure `close` is called on the response body no matter what · puma/puma@b70f451 · GitHub	MISC	github.com
Debian -- Security Information -- DSA-5146-1 puma	DEBIAN	www.debian.org
[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack	MISC	groups.google.com
[SECURITY] Fedora 37 Update: rubygem-puma-5.6.5-1.fc37 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

179344 Debian Security Update for puma (DSA 5146-1)
179346 Debian Security Update for puma (DLA 3023-1)
180972 Debian Security Update for puma (DLA 3083-1)
183782 Debian Security Update for puma (CVE-2022-23634)
200174 Ubuntu Security Notification for Puma Vulnerabilities (USN-6682-1)
240566 Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)
283093 Fedora Security Update for rubygem (FEDORA-2022-de968d1b6c)
283094 Fedora Security Update for rubygem (FEDORA-2022-52d0032596)
354428 Amazon Linux Security Advisory for rubygem-puma : ALAS2022-2022-051
710598 Gentoo Linux Puma Multiple Vulnerabilities (GLSA 202208-28)
753159 SUSE Enterprise Linux Security Update for rubygem-puma (SUSE-SU-2022:1515-1)
960505 Rocky Linux Security Update for Satellite (RLSA-2022:5498)