CVE-2023-41338
MEDIUM5.3EPSS 0.26%IsFromLocal local address check can be circumvented in github.com/gofiber/fiber/v2
Published: 9/8/2023Modified: 5/20/2024
Description
The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address.
Affected packages (3)
- Go/github.com/gofiber/fiberfrom 0, <= 1.14.6
- Go/github.com/gofiber/fiber/v2from 0, < 2.49.2
- Go/github.com/gofiber/fiber/v2from 0, < 2.49.2-0.20230906112033-b8c9ede6efa2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-41338
- PATCHhttps://github.com/gofiber/fiber
- WEBhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
- WEBhttps://docs.gofiber.io/api/ctx#isfromlocal
- WEBhttps://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc
- WEBhttps://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f