A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
References
Link | Resource |
---|---|
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941 | Exploit Third Party Advisory |
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082 | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html | Mailing List Third Party Advisory |
https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html | Release Notes Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2022-08-25T17:26:19
Updated: 2022-09-16T00:06:17
Reserved: 2022-06-29T00:00:00
Link: CVE-2022-2255
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-08-25T18:15:09.993
Modified: 2022-10-01T02:31:45.697
Link: CVE-2022-2255
JSON object: View
Redhat Information
No data.