CVE-2023-45132 - OpenCVE

NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Wargio	Naxsi

Configuration 1 [-]

cpe:2.3:a:wargio:naxsi:*:*:*:*:*:nginx:*:*

References

Link	Resource
https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537	Patch
https://github.com/wargio/naxsi/pull/103	Patch
https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-11T20:21:26.313Z

Updated: 2023-10-11T20:21:26.313Z

Reserved: 2023-10-04T16:02:46.328Z

Link: CVE-2023-45132

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-11T21:15:10.207

Modified: 2023-10-18T02:38:01.093

Link: CVE-2023-45132

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-45132", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-04T16:02:46.328Z", "datePublished": "2023-10-11T20:21:26.313Z", "dateUpdated": "2023-10-11T20:21:26.313Z"}, "containers": {"cna": {"title": "IgnoreIP/IgnoreCIDR should not trust X-Forwarded-For", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}, {"name": "https://github.com/wargio/naxsi/pull/103", "tags": ["x_refsource_MISC"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"name": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537", "tags": ["x_refsource_MISC"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}], "affected": [{"vendor": "wargio", "product": "naxsi", "versions": [{"version": ">= 1.3, < 1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T20:21:26.313Z"}, "descriptions": [{"lang": "en", "value": "NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.\n"}], "source": {"advisory": "GHSA-7qjc-q4j9-pc8x", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wargio:naxsi:*:*:*:*:*:nginx:*:*", "matchCriteriaId": "8409BA98-A088-4290-86DF-9654A90D7FAF", "versionEndExcluding": "1.6", "versionStartIncluding": "1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.\n"}, {"lang": "es", "value": "NAXSI es un firewall de aplicaciones web (WAF) de mantenimiento de c\u00f3digo abierto para NGINX. Un problema est\u00e1 presente a partir de la versi\u00f3n 1.3 y anteriores a la versi\u00f3n 1.6 permite que alguien omita el WAF cuando una IP maliciosa `X-Forwarded-For` coincide con las reglas `IgnoreIP` `IgnoreCIDR`. Este c\u00f3digo antiguo se organiz\u00f3 para permitir que las versiones anteriores de NGINX tambi\u00e9n admitieran `IgnoreIP` `IgnoreCIDR` cuando hab\u00eda varios servidores proxy inversos presentes. El problema se solucion\u00f3 en la versi\u00f3n 1.6. Como workaround, no configure ning\u00fan `IgnoreIP` `IgnoreCIDR` para versiones anteriores."}], "id": "CVE-2023-45132", "lastModified": "2023-10-18T02:38:01.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-11T21:15:10.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}]}