File tree 1 file changed +28
-0
lines changed
1 file changed +28
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ gem : sinatra
3+ cve : 2024-21510
4+ ghsa : hxx2-7vcw-mqr3
5+ url : https://github.com/advisories/GHSA-hxx2-7vcw-mqr3
6+ title : Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision
7+ date : 2024-11-01
8+ description : |
9+ Versions of the package sinatra from 0.0.0 are vulnerable to
10+ Reliance on Untrusted Inputs in a Security Decision via the
11+ X-Forwarded-Host (XFH) header.
12+
13+ When making a request to a method with redirect applied, it is
14+ possible to trigger an Open Redirect Attack by inserting an
15+ arbitrary address into this header. If used for caching purposes,
16+ such as with servers like Nginx, or as a reverse proxy, without
17+ handling the X-Forwarded-Host header, attackers can potentially
18+ exploit Cache Poisoning or Routing-based SSRF.
19+ cvss_v3 : 5.4
20+ notes : Never patched
21+ related :
22+ url :
23+ - https://nvd.nist.gov/vuln/detail/CVE-2024-21510
24+ - https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
25+ - https://github.com/sinatra/sinatra/pull/2010
26+ - https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb#L319
27+ - https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb#L323C1-L343C17
28+ - https://github.com/advisories/GHSA-hxx2-7vcw-mqr3
You can’t perform that action at this time.
0 commit comments