HTTP Request Smuggling Affecting gitlab-cng-17.4 package, versions <17.4.4-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-GITLABCNG174-8383433
- published 18 Nov 2024
- disclosed 19 Sep 2024
Introduced: 19 Sep 2024
CVE-2024-45614 Open this link in a new tabHow to fix?
Upgrade Chainguard gitlab-cng-17.4 to version 17.4.4-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gitlab-cng-17.4 package and not the gitlab-cng-17.4 package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.