CVE-2022-2255
HIGH7.5EPSS 0.46%Incorrect header handling in mod-wsgi
Published: 8/26/2022Modified: 9/25/2024
Description
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Affected packages (5)
- Bitnami/mod_wsgifrom 0, < 4.9.3
- Debian/mod-wsgifrom 0, < 4.7.1-3+deb11u1
- Debian/mod-wsgifrom 0, < 4.6.5-1+deb10u1
- PyPI/mod-wsgifrom 0, < 4.9.3
- PyPI/mod-wsgifrom 0, < 4.9.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (10)
- ADVISORYhttps://github.com/advisories/GHSA-7527-8855-9cf8
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2255
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-2255
- PATCHhttps://github.com/GrahamDumpleton/mod_wsgi
- WEBhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
- WEBhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
- WEBhttps://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/mod-wsgi/PYSEC-2022-254.yaml
- WEBhttps://lists.debian.org/debian-lts-announce/2022/09/msg00021.html
- WEBhttps://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html