{
  "threat_severity" : "Important",
  "public_date" : "2024-01-08T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies",
    "id" : "2257340",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2257340"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.", "A flaw was found in Puma rubygem. Versions prior 6.4.2 are susceptible to a HTTP smuggling attack when parsing chunked transfer encoding bodies on HTTP messages, which don't limit the size of the message chunk extensions. This issue may lead to uncontrolled resource consumption, possibly resulting in a denial of service of the attacked server." ],
  "statement" : "For Red Hat Satellite the affected version of the package tfm-rubygem-puma applies to EL7 only, which means it only applies to Satellite 6.11 on RHEL 7 which is currently out of support.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2024-04-23T00:00:00Z",
    "advisory" : "RHSA-2024:2010",
    "cpe" : "cpe:/a:redhat:satellite:6.15::el8",
    "package" : "rubygem-puma-0:6.4.2-1.el8sat"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "tfm-rubygem-puma",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Out of support scope",
    "package_name" : "rubygem-puma",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-21647\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21647\nhttps://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2" ],
  "name" : "CVE-2024-21647",
  "csaw" : false
}