Описание
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
A flaw was found in rubygem-puma. In affected versions, clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing an underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables are affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. As a mitigation, Nginx has an underscores_in_headers configuration variable to discard these headers at the proxy level. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Отчет
This issue is classified as moderate severity rather than important because, while it allows clients to manipulate proxy-set headers like X-Forwarded-For, its exploitability depends on specific conditions. The vulnerability only affects applications that rely on these headers for security purposes, such as IP-based access controls or logging, and is mitigated by proper server configurations (e.g., using underscores_in_headers off in Nginx). Furthermore, it does not directly compromise the server's integrity or enable arbitrary code execution.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | pcs | Not affected | ||
| Red Hat Enterprise Linux 9 | pcs | Not affected | ||
| Red Hat Satellite 6 | rubygem-puma | Affected | ||
| Red Hat Satellite 6 | satellite:el8/rubygem-puma | Affected | ||
| Red Hat Storage 3 | rubygem-puma | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Puma is a Ruby/Rack web server built for parallelism. In affected vers ...
Puma's header normalization allows for client to clobber proxy set headers
Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, позволяющая нарушителю выполнить произвольный код
EPSS
5.4 Medium
CVSS3