Description

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use `self` requests without a specified URL authority can be induced to make requests to arbitrary hosts via the `Host` HTTP header. The following conditions need to be met for an application to be vulnerable: 1. The environment Spin is deployed in routes requests to the Spin runtime based on the request URL instead of the `Host` header, and leaves the `Host` header set to its original value; 2. The Spin application's component handling the incoming request is configured with an `allow_outbound_hosts` list containing `"self"`; and 3. In reaction to an incoming request, the component makes an outbound request whose URL doesn't include the hostname/port. Spin 2.4.3 has been released to fix this issue.

INFO

Published Date :

2024-05-08T14:32:09.059Z

Last Modified :

2024-08-02T02:27:53.504Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-32980 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-32980.

URL Resource
https://github.com/fermyon/spin/commit/b3db535c9edb72278d4db3a201f0ed214e561354 cve-icon cve-icon cve-icon
https://github.com/fermyon/spin/security/advisories/GHSA-f3h7-gpjj-wcvh cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact