Puma Puma 6.4.2 for Ruby

CPE Details

Puma Puma 6.4.2 for Ruby
puma
puma
6.4.2
2024-01-12
11h35 +00:00
2024-01-12
11h35 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:puma:puma:6.4.2:*:*:*:*:ruby:*:*

Informations

Vendor

puma

Product

puma

Version

6.4.2

Target Software

ruby

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2024-45614 2024-09-19 22h42 +00:00 Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
5.4
Moyen