Skip to content

Commit

Permalink
Merge pull request #5018 from github/ThomasKoppensteiner-GHSA-hxx2-7v…
Browse files Browse the repository at this point in the history
  • Loading branch information
advisory-database[bot] authored Nov 18, 2024
2 parents dca914a + 7b0cc59 commit 4785e57
Showing 1 changed file with 6 additions and 7 deletions.
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hxx2-7vcw-mqr3",
"modified": "2024-11-04T13:52:38Z",
"modified": "2024-11-04T13:52:39Z",
"published": "2024-11-01T06:30:34Z",
"aliases": [
"CVE-2024-21510"
],
"summary": "Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision",
"details": "Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
Expand All @@ -32,11 +28,14 @@
"introduced": "0"
},
{
"last_affected": "4.0.0"
"fixed": "4.1.0"
}
]
}
]
],
"database_specific": {
"last_known_affected_version_range": "<= 4.0.0"
}
}
],
"references": [
Expand Down

0 comments on commit 4785e57

Please sign in to comment.