CVE-2024-45614

MEDIUM EPSS 46.3%
Published Sep 19, 20241y ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Sep 19, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

CVSS Details

Base Score
5.4
Exploitability
2.2
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
46.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-444
CWE-639

Affected Products 2

VendorProductVersionRange
pumapuma* <5.6.9
pumapuma*≥6.0.0  –  <6.4.3

References 3

  • github.com https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
    Vendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
  • nginx.org https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
    Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.