Updated advisory posts against rubysec/ruby-advisory-db@69dcead

Author: jasnow

advisories/_posts/2024-09-19-CVE-2024-7254.md

@@ -0,0 +1,70 @@
+---
+layout: advisory
+title: 'CVE-2024-7254 (google-protobuf): protobuf-java has potential Denial of Service
+  issue'
+comments: false
+categories:
+- google-protobuf
+advisory:
+  gem: google-protobuf
+  cve: 2024-7254
+  ghsa: 735f-pc8j-v9w8
+  url: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
+  title: protobuf-java has potential Denial of Service issue
+  date: 2024-09-19
+  description: |+
+    ### Summary
+    When parsing unknown fields in the Protobuf Java Lite and Full library,
+    a maliciously crafted message can cause a StackOverflow error and lead
+    to a program crash.
+
+    Reporter: Alexis Challande, Trail of Bits Ecosystem Security
+    Team <[email protected]>
+
+    Affected versions: This issue affects all versions of both the Java
+    full and lite Protobuf runtimes, as well as Protobuf for Kotlin and
+    JRuby, which themselves use the Java Protobuf runtime.
+
+    ### Severity
+    [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254)
+    **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
+
+    This is a potential Denial of Service. Parsing nested groups as unknown
+    fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser,
+    or against Protobuf map fields, creates unbounded recursions that can
+    be abused by an attacker.
+
+    ### Proof of Concept
+    For reproduction details, please refer to the unit tests (Protobuf Java
+    [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java)
+    and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java))
+    that identify the specific inputs that exercise this parsing weakness.
+
+    ### Remediation and Mitigation
+    We have been working diligently to address this issue and have released
+    a mitigation that is available now. Please update to the latest
+    available versions of the following packages:
+
+    * protobuf-java (3.25.5, 4.27.5, 4.28.2)
+    * protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
+    * protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
+    * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
+    * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
+
+  cvss_v4: 8.7
+  patched_versions:
+  - "~> 3.25.5"
+  - "~> 4.27.5"
+  - ">= 4.28.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-7254
+    - https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
+    - https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
+    - https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
+    - https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
+    - https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
+    - https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
+    - https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3
+    - https://github.com/advisories/GHSA-735f-pc8j-v9w8
+---

advisories/_posts/2024-09-20-CVE-2024-45614.md

@@ -0,0 +1,51 @@
+---
+layout: advisory
+title: 'CVE-2024-45614 (puma): Puma''s header normalization allows for client to clobber
+  proxy set headers'
+comments: false
+categories:
+- puma
+advisory:
+  gem: puma
+  cve: 2024-45614
+  ghsa: 9hf4-67fc-4vf4
+  url: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
+  title: Puma's header normalization allows for client to clobber proxy set headers
+  date: 2024-09-20
+  description: |
+    ### Impact
+
+    Clients could clobber values set by intermediate proxies (such as
+    X-Forwarded-For) by providing a underscore version of the same
+    header (X-Forwarded_For).
+
+    Any users trusting headers set by their proxy may be affected.
+    Attackers may be able to downgrade connections to HTTP (non-SSL)
+    or redirect responses, which could cause confidentiality leaks
+    if combined with a separate MITM attack.
+
+    ### Patches
+    v6.4.3/v5.6.9 now discards any headers using underscores if the
+    non-underscore version also exists.  Effectively, allowing the
+    proxy defined headers to always win.
+
+    ### Workarounds
+    Nginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers)
+    configuration variable to discard these headers at the proxy level.
+
+    Any users that are implicitly trusting the proxy defined headers
+    for security or availability should immediately cease doing so
+    until upgraded to the fixed versions.
+  cvss_v3: 5.4
+  patched_versions:
+  - "~> 5.6.9"
+  - ">= 6.4.3"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-45614
+    - https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
+    - https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
+    - https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
+    - https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
+    - https://github.com/advisories/GHSA-9hf4-67fc-4vf4
+---