发布时间: 2024年10月12日
修改时间: 2024年10月18日
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 5.4 | 5.4 |
| Attack Vector | Network | Network |
| Attack Complexity | High | High |
| Privileges Required | None | None |
| User Interaction | None | None |
| Scope | Changed | Changed |
| Confidentiality | Low | Low |
| Integrity | Low | Low |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-4065 | rubygem-puma security update | 2024年10月12日 |
| KylinSec-SA-2024-4085 | rubygem-puma security update | 2024年10月12日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | rubygem-puma | Fixed |
| KY3.5.2 | rubygem-puma | Fixed |
| V6 | rubygem-puma | Fixed |
