{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-45614", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-02T16:00:02.425Z", "datePublished": "2024-09-19T22:42:33.974Z", "dateUpdated": "2025-11-03T22:15:51.621Z"}, "containers": {"cna": {"title": "Header normalization allows for client to clobber proxy set headers in Puma", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"}, {"name": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers", "tags": ["x_refsource_MISC"], "url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"}], "affected": [{"vendor": "puma", "product": "puma", "versions": [{"version": ">= 6.0.0, < 6.4.3", "status": "affected"}, {"version": "< 5.6.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-19T22:42:33.974Z"}, "descriptions": [{"lang": "en", "value": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."}], "source": {"advisory": "GHSA-9hf4-67fc-4vf4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-20T13:54:35.745068Z", "id": "CVE-2024-45614", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T13:54:50.515Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:15:51.621Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:15:51.621Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45614", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-20T13:54:35.745068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T13:54:46.693Z"}}], "cna": {"title": "Header normalization allows for client to clobber proxy set headers in Puma", "source": {"advisory": "GHSA-9hf4-67fc-4vf4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "puma", "product": "puma", "versions": [{"status": "affected", "version": ">= 6.0.0, < 6.4.3"}, {"status": "affected", "version": "< 5.6.9"}]}], "references": [{"url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4", "name": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers", "name": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-19T22:42:33.974Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45614", "state": "PUBLISHED", "dateUpdated": "2025-11-03T22:15:51.621Z", "dateReserved": "2024-09-02T16:00:02.425Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-19T22:42:33.974Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "97372632-D7E2-4DE6-A0CB-4191EF627AF4", "versionEndExcluding": "5.6.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "70AE8ED4-BC0B-4714-9B00-EF4A321DACAC", "versionEndExcluding": "6.4.3", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."}, {"lang": "es", "value": "Puma es un servidor web Ruby/Rack creado para el paralelismo. En las versiones afectadas, los clientes pod\u00edan alterar los valores establecidos por los servidores proxy intermedios (como X-Forwarded-For) al proporcionar una versi\u00f3n con guiones bajos del mismo encabezado (X-Forwarded_For). Todos los usuarios que dependan de las variables establecidas por el proxy se ven afectados. v6.4.3/v5.6.9 ahora descarta cualquier encabezado que utilice guiones bajos si tambi\u00e9n existe la versi\u00f3n sin guiones bajos. De hecho, permite que los encabezados definidos por el proxy siempre prevalezcan. Se recomienda a los usuarios que actualicen. Nginx tiene una variable de configuraci\u00f3n underscores_in_headers para descartar estos encabezados a nivel de proxy como mitigaci\u00f3n. Todos los usuarios que conf\u00eden impl\u00edcitamente en los encabezados definidos por el proxy por razones de seguridad deben dejar de hacerlo de inmediato hasta que se actualicen a las versiones corregidas."}], "id": "CVE-2024-45614", "lastModified": "2025-11-03T23:15:51.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-19T23:15:11.703", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "rubygem-puma: Header normalization allows for client to clobber proxy set headers", "id": "2313672", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313672"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.", "A flaw was found in rubygem-puma. In affected versions, clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing an underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables are affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. As a mitigation, Nginx has an underscores_in_headers configuration variable to discard these headers at the proxy level. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45614", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "rubygem-puma", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/rubygem-puma", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-puma", "product_name": "Red Hat Storage 3"}], "public_date": "2024-09-19T23:15:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45614\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45614\nhttps://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4\nhttps://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"], "statement": "This issue is classified as moderate severity rather than important because, while it allows clients to manipulate proxy-set headers like `X-Forwarded-For`, its exploitability depends on specific conditions. The vulnerability only affects applications that rely on these headers for security purposes, such as IP-based access controls or logging, and is mitigated by proper server configurations (e.g., using `underscores_in_headers off` in Nginx). Furthermore, it does not directly compromise the server's integrity or enable arbitrary code execution.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-639: Authorization Bypass Through User-Controlled Key vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess controls strictly enforce user-to-resource authorization, preventing manipulation of identifiers such as namespace names or resource paths to gain unauthorized access. Least privilege principles restrict access to only the resources necessary for each role, reducing the potential impact of any misused identifiers. Account management enforces unique user identities and session controls to prevent horizontal or vertical privilege escalation. Remote access is tightly governed through hardened authentication mechanisms and session limitations, further minimizing the risk of user-controlled access vectors. Additionally, access enforcement policies are applied consistently across services and verified through routine validation, reducing the likelihood of authorization bypass conditions.", "threat_severity": "Moderate"}

{}