From 7b0cc594e5c624f545d4caee6161b69dc6844cc1 Mon Sep 17 00:00:00 2001 From: Thomas Koppensteiner Date: Mon, 18 Nov 2024 15:28:19 +0100 Subject: [PATCH] Improve GHSA-hxx2-7vcw-mqr3 --- .../11/GHSA-hxx2-7vcw-mqr3/GHSA-hxx2-7vcw-mqr3.json | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/advisories/github-reviewed/2024/11/GHSA-hxx2-7vcw-mqr3/GHSA-hxx2-7vcw-mqr3.json b/advisories/github-reviewed/2024/11/GHSA-hxx2-7vcw-mqr3/GHSA-hxx2-7vcw-mqr3.json index 6fcb7b8cb7c31..0d7f0907b6f93 100644 --- a/advisories/github-reviewed/2024/11/GHSA-hxx2-7vcw-mqr3/GHSA-hxx2-7vcw-mqr3.json +++ b/advisories/github-reviewed/2024/11/GHSA-hxx2-7vcw-mqr3/GHSA-hxx2-7vcw-mqr3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hxx2-7vcw-mqr3", - "modified": "2024-11-04T13:52:38Z", + "modified": "2024-11-04T13:52:39Z", "published": "2024-11-01T06:30:34Z", "aliases": [ "CVE-2024-21510" @@ -9,10 +9,6 @@ "summary": "Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision", "details": "Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.", "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" - }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" @@ -32,11 +28,14 @@ "introduced": "0" }, { - "last_affected": "4.0.0" + "fixed": "4.1.0" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.0.0" + } } ], "references": [