CVE-2021-29509: Uncontrolled Resource Consumption

May 11, 2021 (updated October 27, 2022)

Puma is a concurrent HTTP server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

References

nvd.nist.gov/vuln/detail/CVE-2021-29509

Detect and mitigate CVE-2021-29509 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →