CVE-2024-21510

NameCVE-2024-21510
DescriptionVersions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1087290

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-sinatra (PTS)bullseye2.0.8.1-2vulnerable
bullseye (security)2.0.8.1-2+deb11u1vulnerable
bookworm3.0.5-3vulnerable
trixie3.2.0-1vulnerable
sid4.1.1-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-sinatrasourceexperimental4.1.1-1
ruby-sinatrasource(unstable)4.1.1-21087290

Notes

[bookworm] - ruby-sinatra <ignored> (Minor issue, too intrusive to backport)
[bullseye] - ruby-sinatra <ignored> (Minor issue, too intrusive to backport)
https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
https://github.com/sinatra/sinatra/pull/2053
Rejected upstream fix: https://github.com/sinatra/sinatra/pull/2010
Fixed by: https://github.com/sinatra/sinatra/commit/cd3e00de20ddaff34ea30f7a74a7b9dad189d1d8 (v4.1.0)
Search for package or bug name: Reporting problems