CVE-2024-45614

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4	Vendor Advisory
https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:puma:puma::::::ruby::*
	cpe:2.3:a:puma:puma::::::ruby::*

History

No history.

Information

Published : 2024-09-19 23:15

Updated : 2024-09-26 13:28

NVD link : CVE-2024-45614

Mitre link : CVE-2024-45614

CVE.ORG link : CVE-2024-45614

JSON object : View

Products Affected

puma

puma

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

{"id": "CVE-2024-45614", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.2}]}, "published": "2024-09-19T23:15:11.703", "references": [{"url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers", "tags": ["Product"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."}, {"lang": "es", "value": "Puma es un servidor web Ruby/Rack creado para el paralelismo. En las versiones afectadas, los clientes pod\u00edan alterar los valores establecidos por los servidores proxy intermedios (como X-Forwarded-For) al proporcionar una versi\u00f3n con guiones bajos del mismo encabezado (X-Forwarded_For). Todos los usuarios que dependan de las variables establecidas por el proxy se ven afectados. v6.4.3/v5.6.9 ahora descarta cualquier encabezado que utilice guiones bajos si tambi\u00e9n existe la versi\u00f3n sin guiones bajos. De hecho, permite que los encabezados definidos por el proxy siempre prevalezcan. Se recomienda a los usuarios que actualicen. Nginx tiene una variable de configuraci\u00f3n underscores_in_headers para descartar estos encabezados a nivel de proxy como mitigaci\u00f3n. Todos los usuarios que conf\u00eden impl\u00edcitamente en los encabezados definidos por el proxy por razones de seguridad deben dejar de hacerlo de inmediato hasta que se actualicen a las versiones corregidas."}], "lastModified": "2024-09-26T13:28:30.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "97372632-D7E2-4DE6-A0CB-4191EF627AF4", "versionEndExcluding": "5.6.9"}, {"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "70AE8ED4-BC0B-4714-9B00-EF4A321DACAC", "versionEndExcluding": "6.4.3", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}