GHSA-FC6G-2GCP-2QRQ RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...

CVE-2022-2366

Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers...

PT-2022-16169 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 6.7.0 and earlier Description: The issue is related to an incorrect default configuration for the trusted IP header, which allows an attacker to bypass some rate limitations or use manipulated IPs for audit logging by...

Oracle WebLogic Server Plug-in HTTP Injection

The remote web server is using the WebLogic plug-in for Apache, IIS, or Sun web servers, a module included with Oracle formerly BEA WebLogic Server and used to proxy requests from an HTTP server to WebLogic. The version of this plug-in on the remote host is affected by an HTTP injection...