VDB
CVE-2019-16770
CVE-2019-16770
REJECTED
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
EPSS 1.59% · 82.0th percentile
Risk Scores
EPSS Score
1.59%
82.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | puma | 0, 3.12.0-2ubuntu1 |
Exploit Intelligence
- file.History.html (github-poc)
- file.History.html (github-poc)
- file.History.html (github-poc)
- file.History.html (github-poc)
- file.History.html (github-poc)
- file.History.html (github-poc)
- file.History.html (github-poc)
Timeline
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-16770 third-party-advisory
- https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-16770 third-party-advisory