The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
References
Link | Resource |
---|---|
https://caddyserver.com/v2 | Broken Link |
https://github.com/shift72/caddy-geo-ip/issues/4 | Third Party Advisory |
https://github.com/shift72/caddy-geo-ip/tags | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2023-12-10T00:00:00
Updated: 2023-12-10T22:30:47.439576
Reserved: 2023-12-10T00:00:00
Link: CVE-2023-50463
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-10T23:15:07.247
Modified: 2023-12-13T20:33:08.687
Link: CVE-2023-50463
JSON object: View
Redhat Information
No data.
CWE