CVE-2024-32980

Published: May 8, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use `self` requests without a specified URL authority can be induced to make requests to arbitrary hosts via the `Host` HTTP header. The following conditions need to be met for an application to be vulnerable: 1. The environment Spin is deployed in routes requests to the Spin runtime based on the request URL instead of the `Host` header, and leaves the `Host` header set to its original value; 2. The Spin application's component handling the incoming request is configured with an `allow_outbound_hosts` list containing `"self"`; and 3. In reaction to an incoming request, the component makes an outbound request whose URL doesn't include the hostname/port. Spin 2.4.3 has been released to fix this issue.

Vendor	Product	Versions
fermyon	spin	affected `< 2.4.3`

Weaknesses (CWE)

CWE-610

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/fermyon/spin/security/advisories/GHSA-f3h7-gpjj-wcvh

x_refsource_CONFIRM

https://github.com/fermyon/spin/commit/b3db535c9edb72278d4db3a201f0ed214e561354

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-32980

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References