CVE-2022-2255 - OpenCVE

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Modwsgi	Mod Wsgi

Configuration 1 [-]

cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html
https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html
https://nvd.nist.gov/vuln/detail/CVE-2022-2255
https://www.cve.org/CVERecord?id=CVE-2022-2255

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-08-25T17:26:19

Updated: 2024-08-03T00:32:09.572Z

Reserved: 2022-06-29T00:00:00

Link: CVE-2022-2255

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-25T18:15:09.993

Modified: 2022-10-01T02:31:45.697

Link: CVE-2022-2255

Redhat

Severity : Moderate

Publid Date: 2022-07-18T00:00:00Z

Links: CVE-2022-2255 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "mod_wsgi", "vendor": "n/a", "versions": [{"status": "affected", "version": "mod_wsgi versions prior to 4.9.3"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-348", "description": "CWE-348", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T00:06:17", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"}, {"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-2255", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mod_wsgi", "version": {"version_data": [{"version_value": "mod_wsgi versions prior to 4.9.3"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-348"}]}]}, "references": {"reference_data": [{"name": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html", "refsource": "MISC", "url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"}, {"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941", "refsource": "MISC", "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"}, {"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082", "refsource": "MISC", "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"}, {"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.572Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"}, {"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-2255", "datePublished": "2022-08-25T17:26:19", "dateReserved": "2022-06-29T00:00:00", "dateUpdated": "2024-08-03T00:32:09.572Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABF101A0-DFE0-4FF4-ABA3-5A1FFB612AF3", "versionEndExcluding": "4.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en mod_wsgi. El encabezado X-Client-IP no es eliminado de una solicitud procedente de un proxy no confiable, lo que permite a un atacante pasar la cabecera X-Client-IP a la aplicaci\u00f3n WSGI de destino porque falta la condici\u00f3n para eliminarla."}], "id": "CVE-2022-2255", "lastModified": "2022-10-01T02:31:45.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-25T18:15:09.993", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-348"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Arseniy Sharoglazov (Positive Technologies) for reporting this issue.", "bugzilla": {"description": "mod_wsgi: Trusted Proxy Headers Removing Bypass", "id": "2100563", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2100563"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-348", "details": ["A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.", "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."], "name": "CVE-2022-2255", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "mod_wsgi", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "mod_wsgi", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "mod_wsgi", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python38:3.8/mod_wsgi", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python39:3.9/mod_wsgi", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "mod_wsgi", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Out of support scope", "package_name": "python27-mod_wsgi", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python38-mod_wsgi", "product_name": "Red Hat Software Collections"}], "public_date": "2022-07-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2255\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2255\nhttps://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"], "threat_severity": "Moderate", "upstream_fix": "mod_wsgi 4.9.3"}