Vulnerability Details : CVE-2022-23634
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
Vulnerability category: Information leak
Products affected by CVE-2022-23634
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23634
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23634
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST | |
|
8.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
1.6
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2022-23634
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product does not release or incorrectly releases a resource before it is made available for re-use.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-23634
-
https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
[SECURITY] [DLA 3083-1] puma security updateMailing List;Third Party Advisory
-
https://github.com/advisories/GHSA-wh98-p28r-vrc9
Possible exposure of information vulnerability in Action Pack · CVE-2022-23633 · GitHub Advisory Database · GitHubMitigation;Not Applicable;Third Party Advisory
-
https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
Information Exposure with Puma when used with Rails · CVE-2022-23634 · GitHub Advisory Database · GitHubThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
[SECURITY] [DLA 3023-1] puma security updateMailing List;Third Party Advisory
-
https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
Ensure `close` is called on the response body no matter what · puma/puma@b70f451 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
[SECURITY] Fedora 36 Update: rubygem-puma-5.5.2-3.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202208-28
Puma: Multiple Vulnerabilities (GLSA 202208-28) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
[SECURITY] Fedora 35 Update: rubygem-puma-4.3.6-5.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
[SECURITY] Fedora 37 Update: rubygem-puma-5.6.5-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Information Exposure with Puma and Rails · Advisory · puma/puma · GitHubPatch;Third Party Advisory
-
https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
[CVE-2022-23633] Possible exposure of information vulnerability in Action PackMailing List;Mitigation;Patch;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5146
Debian -- Security Information -- DSA-5146-1 pumaThird Party Advisory
Jump to