Skip to main content

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE-2024-45614

Severity Medium
Score 5.4/10

Summary

Puma is a Ruby/Rack web server built for parallelism. In affected versions, clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing an underscore version of the same header (X-Forwarded_For), now discarding any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy-defined headers to always win. Users are advised to upgrade. As a mitigation, Nginx has an 'underscores_in_headers' configuration variable to discard these headers at the proxy level. Any users implicitly trusting the proxy-defined headers for security should immediately cease doing so until they are upgraded to the fixed versions. This issue affects versions prior to 5.6.9 and 6.x prior to 6.4.3.

  • HIGH
  • NETWORK
  • LOW
  • CHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-444 - HTTP Request Smuggling

Entities such as web servers, web caching proxies, and application firewalls could parse HTTP requests differently. When there are two or more such entities in the path of an HTTP request, an attacker can send a specially crafted HTTP request that is seen as two different sets of requests by the attacked devices, allowing the attacker to smuggle a request into one device without the other device being aware of it. Such a vulnerability can prove devastating, for it enables further attacks on the application, like web cache poisoning, session hijacking, cross-site scripting, security bypassing, and sensitive information exposure.

Advisory Timeline

  • Published