GHSA SYNC: 2 brand new advisories

gems/google-protobuf/CVE-2024-7254.yml

@@ -0,0 +1,62 @@
+---
+gem: google-protobuf
+cve: 2024-7254
+ghsa: 735f-pc8j-v9w8
+url: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
+title: protobuf-java has potential Denial of Service issue
+date: 2024-09-19
+description: |+
+  ### Summary
+  When parsing unknown fields in the Protobuf Java Lite and Full library,
+  a maliciously crafted message can cause a StackOverflow error and lead
+  to a program crash.
+
+  Reporter: Alexis Challande, Trail of Bits Ecosystem Security
+  Team <[email protected]>
+
+  Affected versions: This issue affects all versions of both the Java
+  full and lite Protobuf runtimes, as well as Protobuf for Kotlin and
+  JRuby, which themselves use the Java Protobuf runtime.
+
+  ### Severity
+  [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254)
+  **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
+
+  This is a potential Denial of Service. Parsing nested groups as unknown
+  fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser,
+  or against Protobuf map fields, creates unbounded recursions that can
+  be abused by an attacker.
+
+  ### Proof of Concept
+  For reproduction details, please refer to the unit tests (Protobuf Java
+  [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java)
+  and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java))
+  that identify the specific inputs that exercise this parsing weakness.
+
+  ### Remediation and Mitigation
+  We have been working diligently to address this issue and have released
+  a mitigation that is available now. Please update to the latest
+  available versions of the following packages:
+
+  * protobuf-java (3.25.5, 4.27.5, 4.28.2)
+  * protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
+  * protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
+  * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
+  * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
+
+cvss_v4: 8.7
+patched_versions:
+  - "~> 3.25.5"
+  - "~> 4.27.5"
+  - ">= 4.28.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-7254
+    - https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
+    - https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
+    - https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
+    - https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
+    - https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
+    - https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
+    - https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3
+    - https://github.com/advisories/GHSA-735f-pc8j-v9w8

gems/puma/CVE-2024-45614.yml

@@ -0,0 +1,43 @@
+---
+gem: puma
+cve: 2024-45614
+ghsa: 9hf4-67fc-4vf4
+url: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
+title: Puma's header normalization allows for client to clobber proxy set headers
+date: 2024-09-20
+description: |
+  ### Impact
+
+  Clients could clobber values set by intermediate proxies (such as
+  X-Forwarded-For) by providing a underscore version of the same
+  header (X-Forwarded_For).
+
+  Any users trusting headers set by their proxy may be affected.
+  Attackers may be able to downgrade connections to HTTP (non-SSL)
+  or redirect responses, which could cause confidentiality leaks
+  if combined with a separate MITM attack.
+
+  ### Patches
+  v6.4.3/v5.6.9 now discards any headers using underscores if the
+  non-underscore version also exists.  Effectively, allowing the
+  proxy defined headers to always win.
+
+  ### Workarounds
+  Nginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers)
+  configuration variable to discard these headers at the proxy level.
+
+  Any users that are implicitly trusting the proxy defined headers
+  for security or availability should immediately cease doing so
+  until upgraded to the fixed versions.
+cvss_v3: 5.4
+patched_versions:
+  - "~> 5.6.9"
+  - ">= 6.4.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-45614
+    - https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
+    - https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
+    - https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
+    - https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
+    - https://github.com/advisories/GHSA-9hf4-67fc-4vf4