{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-21510","title":"Title"},{"category":"description","text":"Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-21510","url":"https://www.suse.com/security/cve/CVE-2024-21510"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1232746 for CVE-2024-21510","url":"https://bugzilla.suse.com/1232746"},{"category":"external","summary":"Advisory link for RHSA-2024:10987","url":"https://lists.suse.com/pipermail/suse-liberty-linux-updates/2024-December/000692.html"}],"title":"SUSE CVE CVE-2024-21510","tracking":{"current_release_date":"2025-03-15T05:34:02Z","generator":{"date":"2024-11-06T04:08:30Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-21510","initial_release_date":"2024-11-06T04:08:30Z","revision_history":[{"date":"2024-11-06T04:08:30Z","number":"2","summary":"Current version"},{"date":"2024-12-20T04:17:21Z","number":"3","summary":"Current version"},{"date":"2025-02-14T05:29:53Z","number":"4","summary":"Current version"},{"date":"2025-02-16T05:22:50Z","number":"5","summary":"Current version"},{"date":"2025-03-15T05:34:02Z","number":"6","summary":"Current version"}],"status":"interim","version":"6"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Liberty Linux 8","product":{"name":"SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8","product_identification_helper":{"cpe":"cpe:/o:suse:sll:8"}}},{"category":"product_version","name":"pcs-0.10.18-2.el8_10.3","product":{"name":"pcs-0.10.18-2.el8_10.3","product_id":"pcs-0.10.18-2.el8_10.3","product_identification_helper":{"purl":"pkg:rpm/suse/pcs@0.10.18-2.el8_10.3"}}},{"category":"product_version","name":"pcs-snmp-0.10.18-2.el8_10.3","product":{"name":"pcs-snmp-0.10.18-2.el8_10.3","product_id":"pcs-snmp-0.10.18-2.el8_10.3","product_identification_helper":{"purl":"pkg:rpm/suse/pcs-snmp@0.10.18-2.el8_10.3"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"pcs-0.10.18-2.el8_10.3 as component of SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8:pcs-0.10.18-2.el8_10.3"},"product_reference":"pcs-0.10.18-2.el8_10.3","relates_to_product_reference":"SUSE Liberty Linux 8"},{"category":"default_component_of","full_product_name":{"name":"pcs-snmp-0.10.18-2.el8_10.3 as component of SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8:pcs-snmp-0.10.18-2.el8_10.3"},"product_reference":"pcs-snmp-0.10.18-2.el8_10.3","relates_to_product_reference":"SUSE Liberty Linux 8"}]},"vulnerabilities":[{"cve":"CVE-2024-21510","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-21510"}],"notes":[{"category":"general","text":"Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.","title":"CVE description"}],"product_status":{"recommended":["SUSE Liberty Linux 8:pcs-0.10.18-2.el8_10.3","SUSE Liberty Linux 8:pcs-snmp-0.10.18-2.el8_10.3"]},"references":[{"category":"external","summary":"CVE-2024-21510","url":"https://www.suse.com/security/cve/CVE-2024-21510"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1232746 for CVE-2024-21510","url":"https://bugzilla.suse.com/1232746"},{"category":"external","summary":"Advisory link for RHSA-2024:10987","url":"https://lists.suse.com/pipermail/suse-liberty-linux-updates/2024-December/000692.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Liberty Linux 8:pcs-0.10.18-2.el8_10.3","SUSE Liberty Linux 8:pcs-snmp-0.10.18-2.el8_10.3"]}],"threats":[{"category":"impact","date":"2024-11-01T07:00:03Z","details":"moderate"}],"title":"CVE-2024-21510"}]}