GHSA-9hf4-67fc-4vf4

Source

https://github.com/advisories/GHSA-9hf4-67fc-4vf4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9hf4-67fc-4vf4/GHSA-9hf4-67fc-4vf4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9hf4-67fc-4vf4

Aliases

CVE-2024-45614

Related

CGA-7qjr-6v4f-v99j

Published

2024-09-20T14:40:16Z

Modified

2024-09-20T22:22:56.696793Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Puma's header normalization allows for client to clobber proxy set headers

Details

Impact

Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.

Patches

v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.

Workarounds

Nginx has a underscoresinheaders configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

References

Affected packages

RubyGems / puma

Package

Name: puma
Purl: pkg:gem/puma

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.9

Affected versions

0.*

0.8.0

0.8.1

0.8.2

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

2.*

2.0.0.b1

2.0.0.b2

2.0.0.b3

2.0.0.b4

2.0.0.b5

2.0.0.b6

2.0.0.b7

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.9.0

2.9.1

2.9.2

2.10.0

2.10.1

2.10.2

2.11.0

2.11.1

2.11.2

2.11.3

2.12.0

2.12.1

2.12.2

2.12.3

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.15.0

2.15.1

2.15.2

2.15.3

2.16.0

3.*

3.0.0.rc1

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

3.5.2

3.6.0

3.6.1

3.6.2

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2

3.9.0

3.9.1

3.10.0

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.12.0

3.12.1

3.12.2

3.12.4

3.12.5

3.12.6

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.2.0

4.2.1

4.3.0

4.3.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.3.12

5.*

5.0.0.beta1

5.0.0.beta2

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.4.0

5.5.0

5.5.1

5.5.2

5.6.0

5.6.1

5.6.2

5.6.4

5.6.5

5.6.6

5.6.7

5.6.8

RubyGems / puma

Package

Name: puma
Purl: pkg:gem/puma

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.4.3

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.1.1

6.2.0

6.2.1

6.2.2

6.3.0

6.3.1

6.4.0

6.4.1

6.4.2