Bug 2100563 (CVE-2022-2255) - CVE-2022-2255 mod_wsgi: Trusted Proxy Headers Removing Bypass
Summary: CVE-2022-2255 mod_wsgi: Trusted Proxy Headers Removing Bypass
Keywords:
Status: NEW
Alias: CVE-2022-2255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2108263 2108264 2108265 2108266 2108267 2108268 2108272 2108273
Blocks: 2097484 2102350
TreeView+ depends on / blocked
 
Reported: 2022-06-23 17:37 UTC by Guilherme de Almeida Suckevicz
Modified: 2025-05-12 07:58 UTC (History)
8 users (show)

Fixed In Version: mod_wsgi 4.9.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:4791 0 None None None 2025-05-12 07:58:59 UTC

Description Guilherme de Almeida Suckevicz 2022-06-23 17:37:59 UTC 
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

References:
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
Comment 2 Guilherme de Almeida Suckevicz 2022-07-18 17:55:45 UTC 
Upstream patch:
https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
Comment 3 Guilherme de Almeida Suckevicz 2022-07-18 18:00:15 UTC 
Created mod_wsgi tracking bugs for this issue:

Affects: fedora-all [bug 2108273]


Created python3-mod_wsgi tracking bugs for this issue:

Affects: epel-7 [bug 2108272]
Comment 7 errata-xmlrpc 2025-05-12 07:58:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:4791 https://access.redhat.com/errata/RHSA-2025:4791
Note You need to log in before you can comment on or make changes to this bug.