CVE-2024-21510

NameCVE-2024-21510
DescriptionVersions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1087290

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-sinatra (PTS)jessie1.4.5-1vulnerable
stretch (lts), stretch1.4.7-5+deb9u2vulnerable
buster (security), buster, buster (lts)2.0.5-4+deb10u2vulnerable
bullseye2.0.8.1-2vulnerable
bullseye (security)2.0.8.1-2+deb11u1vulnerable
bookworm3.0.5-3vulnerable
sid, trixie3.2.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-sinatrasourcejessie(unfixed)end-of-life
ruby-sinatrasource(unstable)(unfixed)1087290

Notes

https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
https://github.com/sinatra/sinatra/pull/2053
Rejected upstream fix: https://github.com/sinatra/sinatra/pull/2010
Search for package or bug name: Reporting problems