CVE-2022-2255

2022-08-2518:15:09

CWE-345

CWE-348

[email protected]

web.nvd.nist.gov

155

cve-2022-2255

mod_wsgi

vulnerability

x-client-ip header

untrusted proxy

wsgi application

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

44.5%

JSON

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

Affected configurations

Vulners

NVD

Node

modwsgimod_wsgiRange≤4.9.3

VendorProductVersionCPE
modwsgimod_wsgi*cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
modwsgi	mod_wsgi	*	cpe:2.3:a:modwsgi:mod_wsgi::::::::

CNA Affected

[
  {
    "product": "mod_wsgi",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "mod_wsgi versions prior to 4.9.3"
      }
    ]
  }
]