Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-32980

Date: May 8, 2024

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use "self" requests without a specified URL authority can be induced to make requests to arbitrary hosts via the "Host" HTTP header. The following conditions need to be met for an application to be vulnerable: 1. The environment Spin is deployed in routes requests to the Spin runtime based on the request URL instead of the "Host" header, and leaves the "Host" header set to its original value; 2. The Spin application's component handling the incoming request is configured with an "allow_outbound_hosts" list containing ""self""; and 3. In reaction to an incoming request, the component makes an outbound request whose URL doesn't include the hostname/port. Spin 2.4.3 has been released to fix this issue.

Language: RUST

Severity Score

Related Resources (5)

https://nvd.nist.gov/vuln/detail/CVE-2024-32980
https://github.com/fermyon/spin
https://github.com/fermyon/spin/security/advisories/GHSA-f3h7-gpjj-wcvh
https://github.com/fermyon/spin/commit/b3db535c9edb72278d4db3a201f0ed214e561354
https://www.mend.io/vulnerability-database/CVE-2024-32980

Severity Score

Weakness Type (CWE)

Externally Controlled Reference to a Resource in Another Sphere

CWE-610

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us