Bug 2313672 (CVE-2024-45614) - CVE-2024-45614 rubygem-puma: Header normalization allows for client to clobber proxy set headers
Summary: CVE-2024-45614 rubygem-puma: Header normalization allows for client to clobbe...
Keywords:
Status: NEW
Alias: CVE-2024-45614
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2313741 2313700 2313701 2313702 2313703
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-19 23:20 UTC by OSIDB Bzimport
Modified: 2025-06-04 15:33 UTC (History)
19 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-09-19 23:20:30 UTC 
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Comment 1 Vít Ondruch 2024-09-20 08:44:10 UTC 
@Avinash why only f39 / f40 trackers were created when all Fedoras are impacted IMHO?

And why I - as a Fedora maintainer of rubygem-puma - am not on CC of this flaw tracker?
Comment 2 Sandipan Roy 2024-09-20 10:49:53 UTC 
Fedora-all tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2313741
Note You need to log in before you can comment on or make changes to this bug.