diff --git a/CHANGELOG.md b/CHANGELOG.md
index 751d9edf8a..f6ec6fa221 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   fail safe and the negative privilege statement (revoke, deny) is the final
   outcome
   [CONJSE-1785](https://ca-il-jira.il.cyber-ark.com:8443/browse/CONJSE-1785)
+- Update puma to 6.3.1 to address CVE-2023-40175.
+  [CNJR-2564](https://ca-il-jira.il.cyber-ark.com:8443/browse/CNJR-2564)
 
 ## [1.19.5] - 2023-06-29
 
diff --git a/Gemfile b/Gemfile
index 9b1494575c..78e6dc78cb 100644
--- a/Gemfile
+++ b/Gemfile
@@ -19,7 +19,7 @@ gem 'http', '~> 4.2.0'
 gem 'iso8601'
 gem 'jbuilder', '~> 2.7.0'
 gem 'nokogiri', '>= 1.8.2'
-gem 'puma', '~> 5.6'
+gem 'puma', '~> 6'
 gem 'rack', '~> 2.2'
 gem 'rails', '~> 6.1', '>= 6.1.4.6'
 gem 'rake'
@@ -60,6 +60,9 @@ gem 'net-ldap'
 # for AWS rotator
 gem 'aws-sdk-iam', require: false
 
+# we need this version since any newer introduces braking change that causes issues with safe_yaml: https://github.com/ruby/psych/discussions/571
+gem 'psych', '=3.3.2'
+
 group :production do
   gem 'rails_12factor'
 end
@@ -70,7 +73,8 @@ gem 'kubeclient'
 gem 'websocket'
 
 # authn-oidc, gcp, azure, jwt
-gem 'jwt', '2.2.2' # version frozen due to authn-jwt requirements
+# gem 'jwt', '2.2.2' # version frozen due to authn-jwt requirements
+gem 'jwt', '2.7.1'
 # authn-oidc
 gem 'openid_connect', '~> 2.0'
 
@@ -88,6 +92,7 @@ group :development, :test do
   gem 'cucumber', '~> 7.1'
   gem 'database_cleaner', '~> 1.8'
   gem 'debase', '~> 0.2.5.beta2'
+  gem 'debase-ruby_core_source', '~> 3.2.1'
   gem 'json_spec', '~> 1.1'
   gem 'faye-websocket'
   gem 'net-ssh'
@@ -101,7 +106,7 @@ group :development, :test do
   gem 'rspec'
   gem 'rspec-core'
   gem 'rspec-rails'
-  gem 'ruby-debug-ide'
+  # gem 'ruby-debug-ide'
 
   # We use a post-coverage hook to sleep covered processes until we're ready to
   # collect the coverage reports in CI. Because of this, we don't want bundler
diff --git a/Gemfile.lock b/Gemfile.lock
index 3a5cc1c1b3..24761c1cd0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -176,7 +176,7 @@ GEM
     date (3.3.3)
     debase (0.2.5.beta2)
       debase-ruby_core_source (>= 0.10.12)
-    debase-ruby_core_source (0.10.13)
+    debase-ruby_core_source (3.2.1)
     deep_merge (1.2.2)
     diff-lcs (1.4.4)
     docile (1.4.0)
@@ -269,7 +269,7 @@ GEM
       rspec (>= 2.0, < 4.0)
     jsonpath (1.1.0)
       multi_json
-    jwt (2.2.2)
+    jwt (2.7.1)
     kubeclient (4.9.3)
       http (>= 3.0, < 5.0)
       jsonpath (~> 1.0)
@@ -342,8 +342,9 @@ GEM
       pry (~> 0.13.0)
     pry-rails (0.3.9)
       pry (>= 0.10.4)
+    psych (3.3.2)
     public_suffix (5.0.1)
-    puma (5.6.4)
+    puma (6.3.1)
       nio4r (~> 2.0)
     racc (1.7.1)
     rack (2.2.7)
@@ -444,8 +445,6 @@ GEM
       unicode-display_width (~> 1.0, >= 1.0.1)
     rubocop-checkstyle_formatter (0.4.0)
       rubocop (>= 0.35.1)
-    ruby-debug-ide (0.7.3)
-      rake (>= 0.8.1)
     ruby-next-core (0.14.0)
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.5)
@@ -544,6 +543,7 @@ DEPENDENCIES
   cucumber (~> 7.1)
   database_cleaner (~> 1.8)
   debase (~> 0.2.5.beta2)
+  debase-ruby_core_source (~> 3.2.1)
   dry-struct
   dry-types
   event_emitter
@@ -557,21 +557,22 @@ DEPENDENCIES
   jbuilder (~> 2.7.0)
   json_schemer
   json_spec (~> 1.1)
-  jwt (= 2.2.2)
+  jwt (= 2.7.1)
   kubeclient
   listen
   loofah (>= 2.2.3)
   net-ldap
   net-ssh
   nokogiri (>= 1.8.2)
-  openid_connect (= 2.2.0)
+  openid_connect (~> 2.0)
   parallel
   parallel_tests
   pg
   prometheus-client
   pry-byebug
   pry-rails
-  puma (~> 5.6)
+  psych (= 3.3.2)
+  puma (~> 6)
   rack (~> 2.2)
   rack-rewrite
   rails (~> 6.1, >= 6.1.4.6)
@@ -587,7 +588,6 @@ DEPENDENCIES
   rspec-rails
   rubocop (~> 0.58.0)
   rubocop-checkstyle_formatter
-  ruby-debug-ide
   sequel
   sequel-pg_advisory_locking
   sequel-postgres-schemata
diff --git a/NOTICES.txt b/NOTICES.txt
index 9f776f0a92..e30c658d96 100644
--- a/NOTICES.txt
+++ b/NOTICES.txt
@@ -20,7 +20,7 @@ Section 3: BSD-3-Clause
 
 >>> https://rubygems.org/gems/base32-crockford/versions/0.1.0
 >>> https://rubygems.org/gems/ffi/versions/1.15.4
->>> https://rubygems.org/gems/puma/versions/5.6.4
+>>> https://rubygems.org/gems/puma/versions/6.3.1
 
 Section 4: MIT
 
@@ -37,13 +37,13 @@ Section 4: MIT
 >>> https://rubygems.org/gems/http/versions/4.2.0
 >>> https://rubygems.org/gems/iso8601/versions/0.13.0
 >>> https://rubygems.org/gems/jbuilder/versions/2.7.0
->>> https://rubygems.org/gems/jwt/versions/2.2.2
+>>> https://rubygems.org/gems/jwt/versions/2.7.1
 >>> https://rubygems.org/gems/kubeclient/versions/4.9.3
 >>> https://rubygems.org/gems/listen/versions/3.7.0
 >>> https://rubygems.org/gems/loofah/versions/2.20.0
 >>> https://rubygems.org/gems/net-ldap/versions/0.17.0
 >>> https://rubygems.org/gems/nokogiri/versions/1.14.3
->>> https://rubygems.org/gems/openid_connect/versions/1.3.0
+>>> https://rubygems.org/gems/openid_connect/versions/2.2.0
 >>> https://rubygems.org/gems/rack-rewrite/versions/1.5.1
 >>> https://rubygems.org/gems/rails/versions/6.1.7.3
 >>> https://rubygems.org/gems/rake/versions/13.0.6
@@ -214,7 +214,7 @@ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
->>> https://rubygems.org/gems/puma/versions/5.6.4
+>>> https://rubygems.org/gems/puma/versions/6.3.1
 
 Some code copyright (c) 2005, Zed Shaw
 Copyright (c) 2011, Evan Phoenix
@@ -546,7 +546,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/jwt/versions/2.2.2
+>>> https://rubygems.org/gems/jwt/versions/2.7.1
 
 Copyright (c) 2011 Jeff Lindsay
 
@@ -680,7 +680,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/openid_connect/versions/1.3.0
+>>> https://rubygems.org/gems/openid_connect/versions/2.2.0
 
 Copyright (c) 2011 nov matake
 
diff --git a/ci/shared.sh b/ci/shared.sh
index 74aaf08f10..081fb0b4f6 100644
--- a/ci/shared.sh
+++ b/ci/shared.sh
@@ -185,7 +185,7 @@ _run_cucumber_tests() {
   # process to write the report. The container is kept alive using an infinite
   # sleep in the at_exit hook (see .simplecov).
   for parallel_service in "${parallel_services[@]}"; do
-    $COMPOSE exec -T "$parallel_service" bash -c "pkill -f 'puma 5'"
+    $COMPOSE exec -T "$parallel_service" bash -c "pkill -f 'puma 6'"
   done
 }
 
diff --git a/ci/test_suites/authenticators_k8s/test_gke_entrypoint.sh b/ci/test_suites/authenticators_k8s/test_gke_entrypoint.sh
index d01e8f1d52..207fad3997 100755
--- a/ci/test_suites/authenticators_k8s/test_gke_entrypoint.sh
+++ b/ci/test_suites/authenticators_k8s/test_gke_entrypoint.sh
@@ -57,7 +57,7 @@ function finish {
       echo "Killing conjur so that coverage report is written"
       # The container is kept alive using an infinite sleep in the at_exit hook
       # (see .simplecov) so that the kubectl cp below works.
-      kubectl exec "${conjur_pod_name}" -- bash -c "pkill -f 'puma 5'"
+      kubectl exec "${conjur_pod_name}" -- bash -c "pkill -f 'puma 6'"
 
       echo "Retrieving coverage report"
       kubectl cp \
diff --git a/config/puma.rb b/config/puma.rb
index f8b8c5579e..d996f7f5b2 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -65,7 +65,6 @@
 # available in this config file.
 preload_app!
 
-rackup      DefaultRackup
 port        ENV['PORT']     || 3000
 environment ENV['RACK_ENV'] || 'development'
 
diff --git a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature b/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature
index 28fb3af4dc..4d002926ee 100644
--- a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature
+++ b/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature
@@ -365,7 +365,7 @@ Feature: JWT Authenticator - Check registered claim
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected incorrect.com, received http://jwks>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected ["incorrect.com"], received http://jwks>')>
     """
 
   @negative @acceptance
@@ -454,7 +454,7 @@ Feature: JWT Authenticator - Check registered claim
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected invalid-issuer, received valid-issuer>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected ["invalid-issuer"], received valid-issuer>')>
     """
 
   @sanity
diff --git a/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature b/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature
index b4b3e864ae..6bfcc7aead 100644
--- a/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature
+++ b/cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature
@@ -550,7 +550,7 @@ Feature: JWT Authenticator - Fetch signing key
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')
     """
 
   @negative @acceptance
@@ -605,7 +605,7 @@ Feature: JWT Authenticator - Fetch signing key
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')
     """
 
   @negative @acceptance
diff --git a/cucumber/authenticators_jwt/features/authn_jwt_validate_and_decode.feature b/cucumber/authenticators_jwt/features/authn_jwt_validate_and_decode.feature
index 6cd17e769c..9e90b39147 100644
--- a/cucumber/authenticators_jwt/features/authn_jwt_validate_and_decode.feature
+++ b/cucumber/authenticators_jwt/features/authn_jwt_validate_and_decode.feature
@@ -77,7 +77,7 @@ Feature: JWT Authenticator - Validate And Decode
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')>
     """
 
   @negative @acceptance
@@ -102,5 +102,5 @@ Feature: JWT Authenticator - Validate And Decode
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')>
     """