{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T16:54:46.217","vulnerabilities":[{"cve":{"id":"CVE-2021-29509","sourceIdentifier":"security-advisories@github.com","published":"2021-05-11T17:15:07.627","lastModified":"2024-11-21T06:01:16.570","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma."},{"lang":"es","value":"Puma es un servidor HTTP versión 1.1 concurrente para aplicaciones Ruby/Rack. La solución para CVE-2019-16770 estaba incompleta. La corrección original solo protegía las conexiones existentes que ya habían sido aceptadas para evitar que sus peticiones se vieran muertas por conexiones persistentes codiciosas que saturaban todos los hilos en el mismo proceso. Sin embargo, es posible que las conexiones persistentes codiciosas sigan privando a las nuevas conexiones que saturan todos los subprocesos en todos los procesos del clúster. Un servidor \"puma\" que recibiera más conexiones \"keep-alive\" simultáneas de las que el servidor tenía subprocesos en su grupo de subprocesos daría servicio sólo a un subconjunto de conexiones, negando el servicio a las conexiones no atendidas. Este problema se ha solucionado en \"puma\" versiones 4.3.8 y 5.3.1. La configuración de \"queue_requests false\" también soluciona el problema. Esto no se recomienda cuando se usa \"puma\" sin un proxy inverso, como \"nginx\" o \"apache\", porque te expondrás a ataques lentos de clientes (por ejemplo, slowloris). La solución es muy pequeña y hay un parche de git disponible para aquellos que usan versiones no compatibles de Puma"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*","versionEndExcluding":"4.3.8","matchCriteriaId":"6615E4AB-9A83-493C-81D1-327943F967B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.3.1","matchCriteriaId":"8C9744B0-7CD1-4B9A-ACE6-7A6199F24FD5"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/puma/puma/security/policy","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://rubygems.org/gems/puma","source":"security-advisories@github.com","tags":["Product","Third Party Advisory"]},{"url":"https://security.gentoo.org/glsa/202208-28","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/puma/puma/security/policy","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://rubygems.org/gems/puma","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product","Third Party Advisory"]},{"url":"https://security.gentoo.org/glsa/202208-28","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}