CVE-2022-24790
📋 TL;DR
CVE-2022-24790 is an HTTP request smuggling vulnerability in Puma HTTP server that allows attackers to bypass front-end proxies and send malicious requests directly to the application. This affects Ruby/Rack applications using Puma behind misconfigured proxies. Attackers can exploit proxy-Puma request parsing discrepancies to smuggle requests.
💻 Affected Systems
- Puma HTTP Server
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Puma by Puma
Puma by Puma
⚠️ Risk & Real-World Impact
Worst Case
Complete application compromise including remote code execution, data theft, or authentication bypass depending on the backend application's vulnerabilities.
Likely Case
Bypass of security controls, injection attacks, or privilege escalation by smuggling malicious requests past the proxy.
If Mitigated
Limited impact with proper proxy validation and updated Puma versions, though some risk remains if proxies are misconfigured.
🎯 Exploit Status
Exploitation requires specific proxy misconfigurations and understanding of HTTP request smuggling techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.4 or 4.3.12
Vendor Advisory: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Restart Required: Yes
Instructions:
1. Update Puma gem: 'gem update puma' or specify version in Gemfile. 2. Restart the Puma server. 3. Verify the update with 'puma -v'.
🔧 Temporary Workarounds
Enable proxy RFC7230 validation
allConfigure front-end proxy to strictly validate HTTP requests against RFC7230 standards
# Depends on proxy software (nginx, Apache, HAProxy, etc.)
# Example for nginx: ensure proper request parsing configuration
🧯 If You Can't Patch
- Deploy Web Application Firewall (WAF) with HTTP request smuggling protection
- Implement network segmentation to limit access to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check Puma version with 'puma -v' or 'gem list puma'. If version is below 5.6.4 (for Puma 5.x) or below 4.3.12 (for Puma 4.x), system is vulnerable.Check Version:
puma -vVerify Fix Applied:
After updating, run 'puma -v' to confirm version is 5.6.4+ or 4.3.12+. Test with HTTP request smuggling tools to verify proxy validation.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns
- Requests with malformed headers
- Unexpected request smuggling attempts in proxy logs
Network Indicators:
- HTTP traffic bypassing proxy rules
- Anomalous request sequences between proxy and backend
SIEM Query:
source="proxy_logs" AND (http_request_smuggling OR malformed_http OR "Transfer-Encoding: chunked" anomalies)🔗 References
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://security.gentoo.org/glsa/202208-28
- https://www.debian.org/security/2022/dsa-5146
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://security.gentoo.org/glsa/202208-28
- https://www.debian.org/security/2022/dsa-5146
