CVE-2023-44463 - OpenCVE

An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Rami	Pretix

Configuration 1 [-]

cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/pretix/pretix/commit/ccdce2ccb8207b82501af3c03f50abc0f819b469	Patch
https://github.com/pretix/pretix/compare/v2023.7.0...v2023.7.1	Patch
https://github.com/pretix/pretix/tags	Release Notes
https://pretix.eu/about/en/blog/20230911-release-2023-7-1/	Release Notes
https://pretix.eu/about/en/ticketing	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-10-02T00:00:00

Updated: 2023-10-02T19:21:37.920912

Reserved: 2023-09-29T00:00:00

Link: CVE-2023-44463

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-02T20:15:10.277

Modified: 2023-10-04T16:39:30.577

Link: CVE-2023-44463

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rami:pretix:*:*:*:*:*:*:*:*", "matchCriteriaId": "D721E2BB-22BE-4C00-903C-C1706BBF87AB", "versionEndExcluding": "2023.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en el pretix antes de 2023.7.1. El an\u00e1lisis incorrecto de los archivos de configuraci\u00f3n hace que la aplicaci\u00f3n conf\u00ede en encabezados X-Fordered-For no verificados aunque no haya sido configurada para hacerlo. Esto puede provocar que los usuarios de la aplicaci\u00f3n suplanten la direcci\u00f3n IP."}], "id": "CVE-2023-44463", "lastModified": "2023-10-04T16:39:30.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-02T20:15:10.277", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/pretix/pretix/commit/ccdce2ccb8207b82501af3c03f50abc0f819b469"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/pretix/pretix/compare/v2023.7.0...v2023.7.1"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/pretix/pretix/tags"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://pretix.eu/about/en/blog/20230911-release-2023-7-1/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://pretix.eu/about/en/ticketing"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}