CVE-2024-21510

CVSS V2 None CVSS V3 None

Description

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Overview

CVE ID
CVE-2024-21510

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-11-01T05:00:04.821Z

Last Modified Date
2024-11-01T05:00:04.821Z

Weakness Enumerations

CWE	URL
CWE-807	http://cwe.mitre.org/data/definitions/807.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb%23L319
https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb%23L323C1-L343C17
https://github.com/sinatra/sinatra/pull/2010

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21510
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21510

History

Created	Old Value	New Value	Data Type	Notes
2024-11-01 13:31:41				Added to TrackCVE