Lucene search

GoogleOSV:CVE-2023-50463

HistoryDec 10, 2023 - 11:15 p.m.

CVE-2023-50463

2023-12-1023:15:07

Google

osv.dev

cve-2023-50463

geoip middleware

caddy 2

ip address spoofing

x-forwarded-for header

trust_header

protection mechanism

trusted_proxy directive

software vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

32.3%

JSON

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

CPENameOperatorVersion
caddyeq0.5.0
caddyeq0.5.1
caddyeq0.6.0

Name	Operator	Version
caddy	eq	0.5.0
caddy	eq	0.5.1
caddy	eq	0.6.0

References

caddyserver.com/v2

github.com/shift72/caddy-geo-ip/issues/4

github.com/shift72/caddy-geo-ip/tags

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

32.3%

JSON

Related for OSV:CVE-2023-50463