We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-45614

Header normalization allows for client to clobber proxy set headers in Puma



Description

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

Reserved 2024-09-02 | Published 2024-09-19 | Updated 2024-09-20 | Assigner GitHub_M


MEDIUM: 5.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

>= 6.0.0, < 6.4.3
affected

< 5.6.9
affected

References

github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4

nginx.org/en/docs/http/ngx_http_core_module.html

cve.org (CVE-2024-45614)

nvd.nist.gov (CVE-2024-45614)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-45614

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.