Lucene search

GitHub Advisory DatabaseGHSA-J24P-R6WX-R79W

HistoryOct 24, 2017 - 6:33 p.m.

High severity vulnerability that affects thin

2017-10-2418:33:38

CWE-20

GitHub Advisory Database

github.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.6%

JSON

lib/thin/connection.rb in Thin web server before 1.2.4 relies on the X-Forwarded-For header to determine the IP address of the client, which allows remote attackers to spoof the IP address and hide activities via a modified X-Forwarded-For header.

Affected configurations

Vulners

Node

macournoyerthinRange<1.2.4

CPENameOperatorVersion
thinlt1.2.4

CPE	Name	Operator	Version
	thin	lt	1.2.4

References

github.com/macournoyer/thin/blob/master/CHANGELOG

github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a

www.openwall.com/lists/oss-security/2009/09/12/1

github.com/advisories/GHSA-j24p-r6wx-r79w

github.com/rubysec/ruby-advisory-db/blob/master/gems/thin/CVE-2009-3287.yml

nvd.nist.gov/vuln/detail/CVE-2009-3287

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.6%

JSON

Related for GHSA-J24P-R6WX-R79W