CVE-2024-21510
Reliance on Untrusted Inputs in a Security Decision vulnerability in sinatra (RubyGems)
What is CVE-2024-21510 About?
Sinatra versions from 0.0.0 are vulnerable to an Open Redirect Attack via the `X-Forwarded-Host` header when redirecting. This can also lead to Cache Poisoning or Routing-based SSRF if the application is used with caching servers or reverse proxies without proper header handling. Exploitation is relatively easy if an attacker can manipulate the `X-Forwarded-Host` header.
Affected Software
Technical Details
The vulnerability in Sinatra arises from its reliance on the X-Forwarded-Host (XFH) header for constructing redirect URLs without properly validating the header's content against trusted hostnames. When a Sinatra application performs a redirect, if the XFH header is present and contains a malicious domain, Sinatra will use this domain in the redirect URL. This enables an Open Redirect attack, where users are redirected from the legitimate site to an attacker-controlled site, often used in phishing. Furthermore, if the application operates behind a reverse proxy or caching server that honors the XFH header, the cache for a legitimate URL can be poisoned with content from the attacker's site (Cache Poisoning), or routing decisions based on the XFH header can be manipulated to achieve Server-Side Request Forgery (SSRF) against internal services.
What is the Impact of CVE-2024-21510?
Successful exploitation may allow attackers to conduct Open Redirect attacks, Cache Poisoning, or Routing-based Server-Side Request Forgery (SSRF), leading to phishing, delivery of malicious content, or access to internal resources.
What is the Exploitability of CVE-2024-21510?
Exploitation involves crafting an HTTP request with a malicious X-Forwarded-Host header and targeting an endpoint that performs a redirect. The complexity is low for Open Redirect. Cache Poisoning and SSRF might be moderately complex, depending on the network architecture. No authentication is typically required for Open Redirect. This is a remote exploit. The primary risk factors include the presence of an affected Sinatra application behind a reverse proxy or caching layer that does not properly sanitize or validate the X-Forwarded-Host header, and any user interaction that leads to a redirect.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21510?
Available Upgrade Options
- sinatra
- <4.1.0 → Upgrade to 4.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
- https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb#L319
- https://osv.dev/vulnerability/GHSA-hxx2-7vcw-mqr3
- https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
- https://github.com/sinatra/sinatra/pull/2010
- https://github.com/sinatra/sinatra/pull/2010
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2024-21510.yml
- https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb%23L323C1-L343C17
- https://github.com/sinatra/sinatra/blob/b626e2d82c23b4fde0b51782fd32ca27ccde1d1a/lib/sinatra/base.rb%23L319
- https://github.com/sinatra/sinatra/blob/main/CHANGELOG.md#410--2024-11-18
What are Similar Vulnerabilities to CVE-2024-21510?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-38546 , CVE-2023-38547 , CVE-2023-38548 , CVE-2023-38549
