Bug 2100563 (CVE-2022-2255) - CVE-2022-2255 mod_wsgi: Trusted Proxy Headers Removing Bypass
Summary: CVE-2022-2255 mod_wsgi: Trusted Proxy Headers Removing Bypass
Keywords:
Status: NEW
Alias: CVE-2022-2255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2108263 2108264 2108265 2108266 2108267 2108268 2108272 2108273
Blocks: 2097484 2102350
TreeView+ depends on / blocked
 
Reported: 2022-06-23 17:37 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-07 08:31 UTC (History)
9 users (show)

Fixed In Version: mod_wsgi 4.9.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-06-23 17:37:59 UTC 
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

References:
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
Comment 2 Guilherme de Almeida Suckevicz 2022-07-18 17:55:45 UTC 
Upstream patch:
https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
Comment 3 Guilherme de Almeida Suckevicz 2022-07-18 18:00:15 UTC 
Created mod_wsgi tracking bugs for this issue:

Affects: fedora-all [bug 2108273]


Created python3-mod_wsgi tracking bugs for this issue:

Affects: epel-7 [bug 2108272]
Note You need to log in before you can comment on or make changes to this bug.