Header normalization allows for client to clobber proxy set headers in Puma
Description
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pumaRubyGems | < 5.6.9 | 5.6.9 |
pumaRubyGems | >= 6.0.0, < 6.4.3 | 6.4.3 |
Affected products
127- osv-coords126 versionspkg:apk/chainguard/gitaly-config-17.4pkg:apk/chainguard/gitaly-config-18.1pkg:apk/chainguard/gitaly-config-18.2pkg:apk/chainguard/gitlab-base-17.4pkg:apk/chainguard/gitlab-base-18.1pkg:apk/chainguard/gitlab-base-18.2pkg:apk/chainguard/gitlab-certificates-17.4pkg:apk/chainguard/gitlab-certificates-18.1pkg:apk/chainguard/gitlab-certificates-18.2pkg:apk/chainguard/gitlab-cfssl-self-sign-scripts-17.4pkg:apk/chainguard/gitlab-cfssl-self-sign-scripts-18.1pkg:apk/chainguard/gitlab-cfssl-self-sign-scripts-18.2pkg:apk/chainguard/gitlab-cng-17.4pkg:apk/chainguard/gitlab-cng-18.1pkg:apk/chainguard/gitlab-cng-18.2pkg:apk/chainguard/gitlab-container-registry-17.4pkg:apk/chainguard/gitlab-container-registry-18.1pkg:apk/chainguard/gitlab-container-registry-18.2pkg:apk/chainguard/gitlab-container-registry-compat-17.4pkg:apk/chainguard/gitlab-container-registry-scripts-17.4pkg:apk/chainguard/gitlab-container-registry-scripts-18.1pkg:apk/chainguard/gitlab-container-registry-scripts-18.2pkg:apk/chainguard/gitlab-elasticsearch-indexer-17.4pkg:apk/chainguard/gitlab-elasticsearch-indexer-compat-17.4pkg:apk/chainguard/gitlab-exporter-17.4pkg:apk/chainguard/gitlab-exporter-18.1pkg:apk/chainguard/gitlab-exporter-18.2pkg:apk/chainguard/gitlab-exporter-scripts-17.4pkg:apk/chainguard/gitlab-exporter-scripts-18.1pkg:apk/chainguard/gitlab-exporter-scripts-18.2pkg:apk/chainguard/gitlab-geo-logcursor-scripts-17.4pkg:apk/chainguard/gitlab-gitaly-scripts-17.4pkg:apk/chainguard/gitlab-gitaly-scripts-18.1pkg:apk/chainguard/gitlab-gitaly-scripts-18.2pkg:apk/chainguard/gitlab-logger-17.4pkg:apk/chainguard/gitlab-logger-18.1pkg:apk/chainguard/gitlab-logger-18.2pkg:apk/chainguard/gitlab-logger-compat-17.4pkg:apk/chainguard/gitlab-logger-compat-18.1pkg:apk/chainguard/gitlab-logger-compat-18.2pkg:apk/chainguard/gitlab-mailroom-17.4pkg:apk/chainguard/gitlab-mailroom-scripts-17.4pkg:apk/chainguard/gitlab-pages-scripts-17.4pkg:apk/chainguard/gitlab-pages-scripts-18.1pkg:apk/chainguard/gitlab-pages-scripts-18.2pkg:apk/chainguard/gitlab-rails-scripts-17.4pkg:apk/chainguard/gitlab-rails-scripts-18.1pkg:apk/chainguard/gitlab-rails-scripts-18.2pkg:apk/chainguard/gitlab-shell-17.4pkg:apk/chainguard/gitlab-shell-18.1pkg:apk/chainguard/gitlab-shell-18.2pkg:apk/chainguard/gitlab-shell-scripts-17.4pkg:apk/chainguard/gitlab-shell-scripts-18.1pkg:apk/chainguard/gitlab-shell-scripts-18.2pkg:apk/chainguard/gitlab-shell-scripts-compat-17.4pkg:apk/chainguard/gitlab-shell-scripts-compat-18.1pkg:apk/chainguard/gitlab-shell-scripts-compat-18.2pkg:apk/chainguard/gitlab-sidekiq-ce-18.1pkg:apk/chainguard/gitlab-sidekiq-ce-18.2pkg:apk/chainguard/gitlab-sidekiq-scripts-17.4pkg:apk/chainguard/gitlab-toolbox-ce-18.1pkg:apk/chainguard/gitlab-toolbox-ce-18.2pkg:apk/chainguard/gitlab-toolbox-scripts-17.4pkg:apk/chainguard/gitlab-webservice-ce-18.1pkg:apk/chainguard/gitlab-webservice-ce-18.2pkg:apk/chainguard/gitlab-webservice-config-17.4pkg:apk/chainguard/gitlab-webservice-scripts-17.4pkg:apk/chainguard/gitlab-workhorse-scripts-17.4pkg:apk/chainguard/gitlab-workhorse-scripts-18.1pkg:apk/chainguard/gitlab-workhorse-scripts-18.2pkg:apk/chainguard/logstashpkg:apk/chainguard/logstash-compatpkg:apk/chainguard/logstash-env2yamlpkg:apk/chainguard/logstash-jre-bcfipspkg:apk/chainguard/logstash-jre-bcfips-compatpkg:apk/chainguard/logstash-jre-bcfips-env2yamlpkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearchpkg:apk/chainguard/logstash-with-output-opensearchpkg:apk/chainguard/ruby3.2-pumapkg:apk/wolfi/gitaly-config-18.1pkg:apk/wolfi/gitaly-config-18.2pkg:apk/wolfi/gitlab-base-18.1pkg:apk/wolfi/gitlab-base-18.2pkg:apk/wolfi/gitlab-certificates-18.1pkg:apk/wolfi/gitlab-certificates-18.2pkg:apk/wolfi/gitlab-cfssl-self-sign-scripts-18.1pkg:apk/wolfi/gitlab-cfssl-self-sign-scripts-18.2pkg:apk/wolfi/gitlab-cng-18.1pkg:apk/wolfi/gitlab-cng-18.2pkg:apk/wolfi/gitlab-container-registry-18.1pkg:apk/wolfi/gitlab-container-registry-18.2pkg:apk/wolfi/gitlab-container-registry-scripts-18.1pkg:apk/wolfi/gitlab-container-registry-scripts-18.2pkg:apk/wolfi/gitlab-exporter-18.1pkg:apk/wolfi/gitlab-exporter-18.2pkg:apk/wolfi/gitlab-exporter-scripts-18.1pkg:apk/wolfi/gitlab-exporter-scripts-18.2pkg:apk/wolfi/gitlab-gitaly-scripts-18.1pkg:apk/wolfi/gitlab-gitaly-scripts-18.2pkg:apk/wolfi/gitlab-logger-18.1pkg:apk/wolfi/gitlab-logger-18.2pkg:apk/wolfi/gitlab-logger-compat-18.1pkg:apk/wolfi/gitlab-logger-compat-18.2pkg:apk/wolfi/gitlab-pages-scripts-18.1pkg:apk/wolfi/gitlab-pages-scripts-18.2pkg:apk/wolfi/gitlab-shell-18.1pkg:apk/wolfi/gitlab-shell-18.2pkg:apk/wolfi/gitlab-shell-scripts-18.1pkg:apk/wolfi/gitlab-shell-scripts-18.2pkg:apk/wolfi/gitlab-shell-scripts-compat-18.1pkg:apk/wolfi/gitlab-shell-scripts-compat-18.2pkg:apk/wolfi/logstashpkg:apk/wolfi/logstash-compatpkg:apk/wolfi/logstash-env2yamlpkg:apk/wolfi/logstash-with-output-opensearchpkg:apk/wolfi/ruby3.2-pumapkg:gem/pumapkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP7
< 17.4.4-r0+ 125 more
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.3-r2
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.3-r2
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.3-r2
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.3-r2
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 17.4.4-r0
- (no CPE)range: < 18.1.3-r2
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.3-r0
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 6.4.3-r0
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 18.1.2-r1
- (no CPE)range: < 18.2.1-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 8.15.2-r1
- (no CPE)range: < 6.4.3-r0
- (no CPE)range: < 5.6.9
- (no CPE)range: < 4.3.12-150000.3.15.1
- (no CPE)range: < 5.6.9-150600.18.3.1
- (no CPE)range: < 6.4.3-1.1
- (no CPE)range: < 4.3.12-150000.3.15.1
- (no CPE)range: < 4.3.12-150000.3.15.1
- (no CPE)range: < 4.3.12-150000.3.15.1
- (no CPE)range: < 4.3.12-150000.3.15.1
- (no CPE)range: < 5.6.9-150600.18.3.1
- (no CPE)range: < 5.6.9-150600.18.3.1
- puma/pumav5Range: >= 6.0.0, < 6.4.3
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-9hf4-67fc-4vf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45614ghsaADVISORY
- github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043ghsaWEB
- github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70eghsaWEB
- github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2024/11/msg00004.htmlghsaWEB
- nginx.org/en/docs/http/ngx_http_core_module.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.