CVE-2024-21510

Publication date 1 November 2024

Last updated 4 March 2025

Ubuntu priority

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ruby-sinatra	24.10 oracular	Ignored see note
	24.04 LTS noble	Ignored see note
	22.04 LTS jammy	Ignored see note
	20.04 LTS focal	Ignored see note
	18.04 LTS bionic	Ignored see note
	16.04 LTS xenial	Ignored see note

Notes

hlibk

The patch itself appears to be a security feature that enables users to allow certain hosts in forwarded headers. The patch utilizes a dependency called ruby-rack which does not contain the implementation of RFC 7239 Forwarded header in versions of ruby-rack below 3.0. This means that the fix appears to be partial for those versions, and upstream has mentioned that they have no plans of supporting any older releases. Additionally, on jammy and below, the dependency appears to lack a feature that enables the patch, which makes the patch not apply for those releases.

mdeslaur

Since this introduces a new API to work-around the issue, doesn’t fix existing uses of ruby-sinatra, and is an intrusive backport, we will not be fixing this CVE in Ubuntu stable releases.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ruby-sinatra	Upstream: https://github.com/sinatra/sinatra/pull/2053 Upstream: cd3e00d