How severe is CVE-2024-45614?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.4 out of 10.

What type of vulnerability is CVE-2024-45614?

This is classified as CWE-639, which is a common weakness in software security.

CVE-2024-45614 - MEDIUM Severity | CVSS 5.4

Vulnerability Description

Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.

Related Vulnerabilities

CVE-2019-10108

MEDIUM

CVSS:5.4(Medium)

An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private ...

CWE-6392019

CVE-2019-5966

MEDIUM

CVSS:5.4(Medium)

Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors.

CWE-6392019

CVE-2020-5194

MEDIUM

CVSS:5.4(Medium)

The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification oc...

CWE-6392020

CVE-2020-7918

MEDIUM

CVSS:5.4(Medium)

An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration.

CWE-6392020

CVE-2021-24473

MEDIUM

CVSS:5.4(Medium)

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pic...

CWE-6392021

CVE-2021-29773

MEDIUM

CVSS:5.4(Medium)

IBM Security Guardium 10.6 and 11.3 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-F...

CWE-6392021