rubysec · postmodern · Jan 9, 2024 · Jan 9, 2024 · Jan 9, 2024 · Jan 9, 2024
diff --git a/gems/puma/CVE-2024-21647.yml b/gems/puma/CVE-2024-21647.yml
@@ -0,0 +1,43 @@
+---
+gem: puma
+cve: 2024-21647
+ghsa: c2f4-cvqm-65w2
+url: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
+title: Puma HTTP Request/Response Smuggling vulnerability
+date: 2024-01-08
+description: |
+
+  ### Impact
+  Prior to versions 6.4.2 and 5.6.8, puma exhibited incorrect
+  behavior when parsing chunked transfer encoding bodies in a
+  way that allowed HTTP request smuggling.
+
+  Fixed versions limit the size of chunk extensions. Without this
+  limit, an attacker could cause unbounded resource (CPU, network
+  bandwidth) consumption.
+
+  ### Patches
+
+  The vulnerability has been fixed in 6.4.2 and 5.6.8.
+
+  ### Workarounds
+
+  No known workarounds.
+
+  ### References
+
+  * [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)
+  * Open an issue in [Puma](https://github.com/puma/puma)
+  * See our [security policy](https://github.com/puma/puma/security/policy)
+cvss_v3: 5.9
+patched_versions:
+  - "~> 5.6.8"
+  - ">= 6.4.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-21647
+    - https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
+    - https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
+    - https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
+    - https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
+    - https://github.com/advisories/GHSA-c2f4-cvqm-65w2