[DRE-maint] Bug#1087290: ruby-sinatra: CVE-2024-21510
Salvatore Bonaccorso
carnil at debian.org
Sun Nov 10 19:55:55 GMT 2024
Source: ruby-sinatra
Version: 3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby-sinatra.
CVE-2024-21510[0]:
| Versions of the package sinatra from 0.0.0 are vulnerable to
| Reliance on Untrusted Inputs in a Security Decision via the
| X-Forwarded-Host (XFH) header. When making a request to a method
| with redirect applied, it is possible to trigger an Open Redirect
| Attack by inserting an arbitrary address into this header. If used
| for caching purposes, such as with servers like Nginx, or as a
| reverse proxy, without handling the X-Forwarded-Host header,
| attackers can potentially exploit Cache Poisoning or Routing-based
| SSRF.
As of filling this bugreport, please be awaere that a complete fix in
yet unavailable, cf. as well
https://bugzilla.suse.com/show_bug.cgi?id=1232746 . Can you maybe
please approach upstream to query the current status?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21510
https://www.cve.org/CVERecord?id=CVE-2024-21510
[1] https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
[2] https://github.com/sinatra/sinatra/pull/2010
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list