CVE-2023-45132 - OpenCVE

NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wargio	Naxsi

Configuration 1 [-]

cpe:2.3:a:wargio:naxsi:*:*:*:*:*:nginx:*:*

No data.

References

Link	Providers
https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537
https://github.com/wargio/naxsi/pull/103
https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-11T20:21:26.313Z

Updated: 2024-09-17T13:57:09.781Z

Reserved: 2023-10-04T16:02:46.328Z

Link: CVE-2023-45132

Vulnrichment

Updated: 2024-08-02T20:14:19.357Z

NVD

Status : Analyzed

Published: 2023-10-11T21:15:10.207

Modified: 2023-10-18T02:38:01.093

Link: CVE-2023-45132

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45132", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-04T16:02:46.328Z", "datePublished": "2023-10-11T20:21:26.313Z", "dateUpdated": "2024-09-17T13:57:09.781Z"}, "containers": {"cna": {"title": "IgnoreIP/IgnoreCIDR should not trust X-Forwarded-For", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}, {"name": "https://github.com/wargio/naxsi/pull/103", "tags": ["x_refsource_MISC"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"name": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537", "tags": ["x_refsource_MISC"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}], "affected": [{"vendor": "wargio", "product": "naxsi", "versions": [{"version": ">= 1.3, < 1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T20:21:26.313Z"}, "descriptions": [{"lang": "en", "value": "NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.\n"}], "source": {"advisory": "GHSA-7qjc-q4j9-pc8x", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:14:19.357Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}, {"name": "https://github.com/wargio/naxsi/pull/103", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"name": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}]}, {"affected": [{"vendor": "wargio", "product": "naxsi", "cpes": ["cpe:2.3:a:wargio:naxsi:*:*:*:*:*:nginx:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.3", "status": "affected", "lessThan": "1.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T13:45:07.638205Z", "id": "CVE-2023-45132", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T13:57:09.781Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45132", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-04T16:02:46.328Z", "datePublished": "2023-10-11T20:21:26.313Z", "dateUpdated": "2024-09-17T13:57:09.781Z"}, "containers": {"cna": {"title": "IgnoreIP/IgnoreCIDR should not trust X-Forwarded-For", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}, {"name": "https://github.com/wargio/naxsi/pull/103", "tags": ["x_refsource_MISC"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"name": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537", "tags": ["x_refsource_MISC"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}], "affected": [{"vendor": "wargio", "product": "naxsi", "versions": [{"version": ">= 1.3, < 1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T20:21:26.313Z"}, "descriptions": [{"lang": "en", "value": "NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.\n"}], "source": {"advisory": "GHSA-7qjc-q4j9-pc8x", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:14:19.357Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}, {"name": "https://github.com/wargio/naxsi/pull/103", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"name": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-45132", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T13:45:07.638205Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wargio:naxsi:*:*:*:*:*:nginx:*:*"], "vendor": "wargio", "product": "naxsi", "versions": [{"status": "affected", "version": "1.3", "lessThan": "1.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T13:57:02.092Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wargio:naxsi:*:*:*:*:*:nginx:*:*", "matchCriteriaId": "8409BA98-A088-4290-86DF-9654A90D7FAF", "versionEndExcluding": "1.6", "versionStartIncluding": "1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious `X-Forwarded-For` IP matches `IgnoreIP` `IgnoreCIDR` rules. This old code was arranged to allow older NGINX versions to also support `IgnoreIP` `IgnoreCIDR` when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any `IgnoreIP` `IgnoreCIDR` for older versions.\n"}, {"lang": "es", "value": "NAXSI es un firewall de aplicaciones web (WAF) de mantenimiento de c\u00f3digo abierto para NGINX. Un problema est\u00e1 presente a partir de la versi\u00f3n 1.3 y anteriores a la versi\u00f3n 1.6 permite que alguien omita el WAF cuando una IP maliciosa `X-Forwarded-For` coincide con las reglas `IgnoreIP` `IgnoreCIDR`. Este c\u00f3digo antiguo se organiz\u00f3 para permitir que las versiones anteriores de NGINX tambi\u00e9n admitieran `IgnoreIP` `IgnoreCIDR` cuando hab\u00eda varios servidores proxy inversos presentes. El problema se solucion\u00f3 en la versi\u00f3n 1.6. Como workaround, no configure ning\u00fan `IgnoreIP` `IgnoreCIDR` para versiones anteriores."}], "id": "CVE-2023-45132", "lastModified": "2023-10-18T02:38:01.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-11T21:15:10.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wargio/naxsi/commit/1b712526ed3314dd6be7e8b0259eabda63c19537"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wargio/naxsi/pull/103"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}]}