CVE-2024-45614: Puma's header normalization allows for client to clobber proxy set headers
Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.
References
- github.com/advisories/GHSA-9hf4-67fc-4vf4
- github.com/puma/puma
- github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
- github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
- github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml
- nginx.org/en/docs/http/ngx_http_core_module.html
- nvd.nist.gov/vuln/detail/CVE-2024-45614
Code Behaviors & Features
Detect and mitigate CVE-2024-45614 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →