Medium severity5.4NVD Advisory· Published Nov 1, 2024· Updated Apr 15, 2026
CVE-2024-21510
CVE-2024-21510
Description
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sinatraRubyGems | < 4.1.0 | 4.1.0 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-hxx2-7vcw-mqr3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21510ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2024-21510.ymlghsaWEB
- github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rbghsaWEB
- github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rbghsaWEB
- github.com/sinatra/sinatra/blob/main/CHANGELOG.mdghsaWEB
- github.com/sinatra/sinatra/pull/2010nvdWEB
- security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832nvdWEB
- github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb%23L319nvd
- github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb%23L323C1-L343C17nvd
News mentions
0No linked articles in our index yet.