平台
ruby
组件
puma
修复版本
6.0.1
5.6.10
5.6.9
CVE-2024-45614 describes a header clobbering vulnerability in Puma, a Ruby web server. This flaw allows attackers to manipulate headers set by intermediate proxies, potentially leading to downgrade attacks or response redirection. The vulnerability impacts Puma versions 5.6.8 and earlier, and a fix is available in version 5.6.9.
The core of this vulnerability lies in Puma's handling of headers with underscores. An attacker can submit a header like X-Forwarded_For alongside the standard X-Forwarded-For. Puma, in vulnerable versions, will incorrectly process the underscored version, potentially overriding headers set by a proxy server. This manipulation can be leveraged to downgrade connections from HTTPS to HTTP, effectively stripping away encryption and exposing sensitive data in transit. Furthermore, attackers could redirect responses, potentially leading to phishing or other malicious actions, especially when combined with a man-in-the-middle (MITM) attack. The blast radius extends to any application relying on Puma and trusting headers provided by upstream proxies.
This vulnerability was published on 2024-09-20. There is no indication of this CVE being on KEV or having an EPSS score. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be exploited in targeted attacks against applications relying on Puma and proxy servers. The NVD and CISA have not yet issued advisories.
漏洞利用状态
EPSS
0.76% (73% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to Puma version 5.6.9 or later, which correctly discards underscored header versions when the standard version is also present. If upgrading is not immediately feasible, a workaround involves configuring the upstream proxy (e.g., Nginx) to prioritize its headers. This can be achieved by ensuring that the proxy is the sole source of headers like X-Forwarded-For and that Puma is not configured to override them. Specifically, ensure Nginx is configured to send headers with a higher precedence. After upgrading, confirm the fix by sending requests with both X-Forwarded-For and X-Forwarded_For headers and verifying that the proxy-defined header is used.
Actualice la gema Puma a la versión 6.4.3 o superior. Esto solucionará la vulnerabilidad que permite a los clientes sobrescribir los encabezados establecidos por los proxies. Como mitigación alternativa, configure Nginx para descartar los encabezados con guiones bajos estableciendo `underscores_in_headers` en `off`.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-45614 is a medium severity vulnerability in Puma versions 5.6.8 and earlier, allowing attackers to manipulate proxy headers like X-Forwarded-For, potentially leading to HTTP downgrade or response redirection.
You are affected if you are using Puma version 5.6.8 or earlier and your application relies on headers set by a proxy server. Check your Puma version with puma -v.
Upgrade to Puma version 5.6.9 or later. Alternatively, configure your upstream proxy (e.g., Nginx) to prioritize its headers and prevent Puma from overriding them.
There is currently no public evidence of active exploitation, but the vulnerability's nature suggests it could be exploited in targeted attacks.
Refer to the Puma project's security advisories and release notes on their official website or GitHub repository for the latest information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Gemfile.lock 文件,立即知道是否受影响。