[Forgot Password]
Login  Register Subscribe

30480

 
 

423868

 
 

251782

 
 

909

 
 

196543

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2022-2255Date: (C)2022-08-16   (M)2023-12-22


A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 7.5CVSS Score :
Exploit Score: 3.9Exploit Score:
Impact Score: 3.6Impact Score:
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector:
Attack Complexity: LOWAccess Complexity:
Privileges Required: NONEAuthentication:
User Interaction: NONEConfidentiality:
Scope: UNCHANGEDIntegrity:
Confidentiality: NONEAvailability:
Integrity: HIGH 
Availability: NONE 
  
Reference:
https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html

CPE    1
cpe:/a:modwsgi:mod_wsgi
CWE    1
CWE-345
OVAL    6
oval:org.secpod.oval:def:3300822
oval:org.secpod.oval:def:3300374
oval:org.secpod.oval:def:88565
oval:org.secpod.oval:def:1701721
...

© SecPod Technologies