PT-2024-25028 · Spin · Spin
Lann
·
Published
2024-05-08
·
Updated
2024-05-10
·
CVE-2024-32980
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Spin versions prior to 2.4.3
Description
The issue affects specifically configured Spin applications that use
self requests without a specified URL authority, allowing them to be induced to make requests to arbitrary hosts via the Host HTTP header. This can happen under certain conditions: when the environment routes requests based on the URL instead of the Host header, when the application's component is configured with an allow outbound hosts list containing "self", and when the component makes an outbound request without a hostname/port in the URL.Recommendations
For versions prior to 2.4.3, update to version 2.4.3 to fix the issue.
As a temporary workaround, ensure that the
Host header is sanitized to match the application a request is routed to.
For individual applications, consider the following workarounds:- Ensure that outgoing requests always sanitize the
Hostheader. - Ensure that outgoing requests always provide the hostname in the URL and use that hostname in the
allowed outbound hostslist instead ofself. - When using Spin 2.4, use application-internal service chaining for intra-application requests.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spin