CVE-2024-45614

Name	CVE-2024-45614
Description	Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3947-1
Debian Bugs	1082379

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
puma (PTS)	stretch (security), stretch (lts), stretch	3.6.0-1+deb9u2	vulnerable
	buster (security), buster, buster (lts)	3.12.0-2+deb10u3	vulnerable
	bullseye	4.3.8-1+deb11u2	vulnerable
	bullseye (security)	4.3.8-1+deb11u3	fixed
	bookworm	5.6.5-3	vulnerable
	sid, trixie	6.4.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
puma	source	stretch	(unfixed)	end-of-life
puma	source	buster	(unfixed)	end-of-life
puma	source	bullseye	4.3.8-1+deb11u3		DLA-3947-1
puma	source	(unstable)	6.4.3-1			1082379

Notes

https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
Fixed by: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043 (v6.4.3)