プラットフォーム
ruby
コンポーネント
puma
修正版
6.0.1
5.6.10
5.6.9
CVE-2024-45614 describes a header clobbering vulnerability in Puma, a Ruby web server. This flaw allows attackers to manipulate headers set by intermediate proxies, potentially leading to downgrade attacks or response redirection. The vulnerability impacts Puma versions 5.6.8 and earlier, and a fix is available in version 5.6.9.
The core of this vulnerability lies in Puma's handling of headers with underscores. An attacker can submit a header like X-Forwarded_For alongside the standard X-Forwarded-For. Puma, in vulnerable versions, will incorrectly process the underscored version, potentially overriding headers set by a proxy server. This manipulation can be leveraged to downgrade connections from HTTPS to HTTP, effectively stripping away encryption and exposing sensitive data in transit. Furthermore, attackers could redirect responses, potentially leading to phishing or other malicious actions, especially when combined with a man-in-the-middle (MITM) attack. The blast radius extends to any application relying on Puma and trusting headers provided by upstream proxies.
This vulnerability was published on 2024-09-20. There is no indication of this CVE being on KEV or having an EPSS score. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be exploited in targeted attacks against applications relying on Puma and proxy servers. The NVD and CISA have not yet issued advisories.
エクスプロイト状況
EPSS
0.76% (73% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to Puma version 5.6.9 or later, which correctly discards underscored header versions when the standard version is also present. If upgrading is not immediately feasible, a workaround involves configuring the upstream proxy (e.g., Nginx) to prioritize its headers. This can be achieved by ensuring that the proxy is the sole source of headers like X-Forwarded-For and that Puma is not configured to override them. Specifically, ensure Nginx is configured to send headers with a higher precedence. After upgrading, confirm the fix by sending requests with both X-Forwarded-For and X-Forwarded_For headers and verifying that the proxy-defined header is used.
Actualice la gema Puma a la versión 6.4.3 o superior. Esto solucionará la vulnerabilidad que permite a los clientes sobrescribir los encabezados establecidos por los proxies. Como mitigación alternativa, configure Nginx para descartar los encabezados con guiones bajos estableciendo `underscores_in_headers` en `off`.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-45614 is a medium severity vulnerability in Puma versions 5.6.8 and earlier, allowing attackers to manipulate proxy headers like X-Forwarded-For, potentially leading to HTTP downgrade or response redirection.
You are affected if you are using Puma version 5.6.8 or earlier and your application relies on headers set by a proxy server. Check your Puma version with puma -v.
Upgrade to Puma version 5.6.9 or later. Alternatively, configure your upstream proxy (e.g., Nginx) to prioritize its headers and prevent Puma from overriding them.
There is currently no public evidence of active exploitation, but the vulnerability's nature suggests it could be exploited in targeted attacks.
Refer to the Puma project's security advisories and release notes on their official website or GitHub repository for the latest information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
Gemfile.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。