CVE-2023-41338
MEDIUM5.3EPSS 0.32%IsFromLocal local address check can be circumvented in github.com/gofiber/fiber/v2
發布日:2023/9/8修改日:2024/5/20
描述
The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address.
受影響套件(3)
- Go/github.com/gofiber/fiberfrom 0, <= 1.14.6
- Go/github.com/gofiber/fiber/v2from 0, < 2.49.2
- Go/github.com/gofiber/fiber/v2from 0, < 2.49.2-0.20230906112033-b8c9ede6efa2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-41338
- PATCHhttps://github.com/gofiber/fiber
- WEBhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
- WEBhttps://docs.gofiber.io/api/ctx#isfromlocal
- WEBhttps://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc
- WEBhttps://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f