GHSA-9hf4-67fc-4vf4

Suggest an improvement
Source
https://github.com/advisories/GHSA-9hf4-67fc-4vf4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9hf4-67fc-4vf4/GHSA-9hf4-67fc-4vf4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9hf4-67fc-4vf4
Aliases
Related
Published
2024-09-20T14:40:16Z
Modified
2024-09-20T22:22:56.696793Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Puma's header normalization allows for client to clobber proxy set headers
Details

Impact

Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.

Patches

v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.

Workarounds

Nginx has a underscoresinheaders configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

Database specific
{
    "nvd_published_at": "2024-09-19T23:15:11Z",
    "cwe_ids": [
        "CWE-444",
        "CWE-639"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-20T14:40:16Z"
}
References

Affected packages

RubyGems / puma

Package

Name
puma
Purl
pkg:gem/puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.6.9

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3

2.*

2.0.0.b1
2.0.0.b2
2.0.0.b3
2.0.0.b4
2.0.0.b5
2.0.0.b6
2.0.0.b7
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.15.0
2.15.1
2.15.2
2.15.3
2.16.0

3.*

3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.8.0
3.8.1
3.8.2
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0
3.12.1
3.12.2
3.12.4
3.12.5
3.12.6

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.2.0
4.2.1
4.3.0
4.3.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.3.12

5.*

5.0.0.beta1
5.0.0.beta2
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.4.0
5.5.0
5.5.1
5.5.2
5.6.0
5.6.1
5.6.2
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8

RubyGems / puma

Package

Name
puma
Purl
pkg:gem/puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.4.3

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
6.2.1
6.2.2
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2