CVE-2024-45614: 
Ruby vulnerability analysis and mitigation

Puma, a Ruby/Rack web server built for parallelism, was found to have a header normalization vulnerability. In affected versions (prior to 6.4.3 and 5.6.9), clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing an underscore version of the same header (X-Forwarded_For). The vulnerability was disclosed on September 19, 2024 (GitHub Advisory).

The vulnerability is tracked as CVE-2024-45614 and has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N. The issue stems from inconsistent interpretation of HTTP headers where clients could override proxy-set headers by using underscore variants of the same header names. This vulnerability has been classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) and CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

The vulnerability could allow attackers to bypass security controls that rely on proxy-set headers. This could potentially lead to security downgrades, such as forcing non-SSL connections or redirecting responses, which could result in confidentiality breaches if combined with a man-in-the-middle attack (GitHub Advisory).

The vulnerability has been fixed in Puma versions 6.4.3 and 5.6.9, which now discard any headers using underscores if the non-underscore version exists. As a workaround, Nginx users can utilize the underscoresinheaders configuration variable to discard these headers at the proxy level. Users are strongly advised to upgrade to the fixed versions and should immediately cease trusting proxy-defined headers for security purposes until upgraded (GitHub Advisory).