Arbitrary Address Injection Vulnerability in Sinatra Package
CVE-2024-21510

5.4MEDIUM

Key Information:

Vendor

sinatra

Status
Sinatra
Vendor
CVE Published:
1 November 2024

What is CVE-2024-21510?

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

sinatra 0.0.0

References

https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde...
https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

t0rchwo0d
JSON
.