Lucene search

GitHub_MCVE-2024-45614

HistorySep 19, 2024 - 11:15 p.m.

CVE-2024-45614

2024-09-1923:15:11

CWE-639

CWE-444

GitHub_M

web.nvd.nist.gov

puma

ruby

web server

clobber

headers

proxy

nginx

security

upgrade

cve-2024-45614

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

Affected configurations

Nvd

Vulners

Node

pumapumaRange<5.6.9ruby

pumapumaRange6.0.0–6.4.3ruby

VendorProductVersionCPE
pumapuma*cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
puma	puma	*	cpe:2.3:a:puma:puma::::::ruby::*

CNA Affected

[
  {
    "vendor": "puma",
    "product": "puma",
    "versions": [
      {
        "version": ">= 6.0.0, < 6.4.3",
        "status": "affected"
      },
      {
        "version": "< 5.6.9",
        "status": "affected"
      }
    ]
  }
]