CVE-2024-45614

NameCVE-2024-45614
DescriptionPuma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3947-1
Debian Bugs1082379

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puma (PTS)stretch (security), stretch (lts), stretch3.6.0-1+deb9u2vulnerable
buster (security), buster, buster (lts)3.12.0-2+deb10u3vulnerable
bullseye4.3.8-1+deb11u2vulnerable
bullseye (security)4.3.8-1+deb11u3fixed
bookworm5.6.5-3vulnerable
sid, trixie6.4.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pumasourcestretch(unfixed)end-of-life
pumasourcebuster(unfixed)end-of-life
pumasourcebullseye4.3.8-1+deb11u3DLA-3947-1
pumasource(unstable)6.4.3-11082379

Notes

https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
Fixed by: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043 (v6.4.3)

Search for package or bug name: Reporting problems