Upstream information
Description
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
CNA (Snyk) | |
---|---|
Base Score | 5.4 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality Impact | Low |
Integrity Impact | Low |
Availability Impact | None |
CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- RHSA-2024:10987, published Thu Dec 19 16:06:15 UTC 2024
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
SUSE Liberty Linux 8 |
| Patchnames: RHSA-2024:10987 |
SUSE Timeline for this CVE
CVE page created: Fri Nov 1 08:00:03 2024CVE page last modified: Thu Dec 19 19:55:09 2024