Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-2255 (GCVE-0-2022-2255)
Vulnerability from cvelistv5 – Published: 2022-08-25 17:26 – Updated: 2024-08-03 00:32
VLAI?
EPSS
Summary
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mod_wsgi",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "mod_wsgi versions prior to 4.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T00:06:17",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-2255",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mod_wsgi",
"version": {
"version_data": [
{
"version_value": "mod_wsgi versions prior to 4.9.3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-348"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html",
"refsource": "MISC",
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941",
"refsource": "MISC",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082",
"refsource": "MISC",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-2255",
"datePublished": "2022-08-25T17:26:19",
"dateReserved": "2022-06-29T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2255
Vulnerability from fstec - Published: 18.07.2022
VLAI Severity ?
Title
Уязвимость модуля mod_wsgi веб-сервера Apache, связанная с ошибками при обработке заголовока X-Client-IP, позволяющая нарушителю получить несанкционированный доступ к сетевым службам
Description
Уязвимость модуля mod_wsgi веб-сервера Apache связана с ошибками при обработке заголовока X-Client-IP. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить несанкционированный доступ к сетевым службам
Severity ?
Vendor
Canonical Ltd., Novell Inc., Red Hat Inc., Сообщество свободного программного обеспечения, ООО «Ред Софт», ООО «РусБИТех-Астра», АО «ИВК», АО "НППКТ", АО «НТЦ ИТ РОСА»
Software Name
Ubuntu, SUSE Linux Enterprise Server for SAP Applications, Suse Linux Enterprise Server, SUSE Linux Enterprise High Performance Computing, SUSE Linux Enterprise Module for Web Scripting, Red Hat Enterprise Linux, SUSE Linux Enterprise Module for Public Cloud, SUSE OpenStack Cloud, Debian GNU/Linux, SUSE Enterprise Storage, HPE Helion Openstack, Red Hat Software Collections, SUSE CaaS Platform, SUSE Manager Proxy, SUSE Manager Retail Branch Server, SUSE Manager Server, SUSE Linux Enterprise Module for Server Applications, РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), Альт 8 СП (запись в едином реестре российских программ №4305), SUSE Business Critical Linux, mod_wsgi, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), ROSA Virtualization (запись в едином реестре российских программ №5091), АЛЬТ СП 10
Software Version
18.04 LTS (Ubuntu), 12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 12 (SUSE Linux Enterprise High Performance Computing), 12 (SUSE Linux Enterprise Module for Web Scripting), 8 (Red Hat Enterprise Linux), 12 (SUSE Linux Enterprise Module for Public Cloud), 15 (SUSE Linux Enterprise Module for Public Cloud), 15 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 8 (SUSE OpenStack Cloud), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Module for Public Cloud), Crowbar 8 (SUSE OpenStack Cloud), 10 (Debian GNU/Linux), 6 (SUSE Enterprise Storage), 8 (HPE Helion Openstack), - (Red Hat Software Collections), 9 (SUSE OpenStack Cloud), 12 (SUSE Linux Enterprise Server for SAP Applications), Crowbar 9 (SUSE OpenStack Cloud), 20.04 LTS (Ubuntu), 4.0 (SUSE CaaS Platform), 15 SP2 (SUSE Linux Enterprise Module for Public Cloud), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP1-ESPOS (SUSE Linux Enterprise High Performance Computing), 4.0 (SUSE Manager Proxy), 4.0 (SUSE Manager Retail Branch Server), 4.0 (SUSE Manager Server), 15 SP3 (SUSE Linux Enterprise Module for Server Applications), 15 SP1 (Suse Linux Enterprise Server), 11 (Debian GNU/Linux), 12 (Suse Linux Enterprise Server), 15 SP2 LTSS (Suse Linux Enterprise Server), 7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 15 SP3 (SUSE Linux Enterprise High Performance Computing), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 4.1 (SUSE Manager Server), 4.1 (SUSE Manager Proxy), 15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 4.1 (SUSE Manager Retail Branch Server), - (Альт 8 СП), 15 SP4 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise High Performance Computing), 15 (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 15 SP3 (SUSE Linux Enterprise Module for Public Cloud), 22.04 LTS (Ubuntu), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 15 SP4 (SUSE Linux Enterprise Module for Public Cloud), 15 SP4 (SUSE Linux Enterprise Module for Server Applications), 7.1 (SUSE Enterprise Storage), 15 SP1 (SUSE Business Critical Linux), 15 SP2 (SUSE Business Critical Linux), 15 (SUSE Linux Enterprise High Performance Computing), 15 SP1 (SUSE Linux Enterprise High Performance Computing), до 4.9.3 (mod_wsgi), 4.7 (Astra Linux Special Edition), до 2.6 (ОСОН ОСнова Оnyx), 2.1 (ROSA Virtualization), - (АЛЬТ СП 10)
Possible Mitigations
Использование рекомендаций:
Для mod_wsgi:
https://gihub.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-2255
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-2255.html
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2022-2255
Для Ubuntu:
https://ubuntu.com/security/notices/USN-5551-1
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения mod-wsgi до версии 4.6.5-1+deb10u1
Для Astra Linux Special Edition 1.7: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1110SE17
Для Astra Linux Special Edition 4.7: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2022-1121SE47
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства
Для системы управления средой виртуализации «ROSA Virtualization» : https://abf.rosalinux.ru/advisories/ROSA-SA-2024-2363
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://gihub.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
https://security-tracker.debian.org/tracker/CVE-2022-2255
https://www.suse.com/security/cve/CVE-2022-2255.html
https://access.redhat.com/security/cve/cve-2022-2255
https://ubuntu.com/security/notices/USN-5551-1
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.6/
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1110SE17
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2022-1121SE47
https://altsp.su/obnovleniya-bezopasnosti/
https://abf.rosalinux.ru/advisories/ROSA-SA-2024-2363
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
CWE
CWE-348
{
"CVSS 2.0": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Canonical Ltd., Novell Inc., Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "18.04 LTS (Ubuntu), 12 SP3 (SUSE Linux Enterprise Server for SAP Applications), 12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 12 (SUSE Linux Enterprise High Performance Computing), 12 (SUSE Linux Enterprise Module for Web Scripting), 8 (Red Hat Enterprise Linux), 12 (SUSE Linux Enterprise Module for Public Cloud), 15 (SUSE Linux Enterprise Module for Public Cloud), 15 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 8 (SUSE OpenStack Cloud), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Module for Public Cloud), Crowbar 8 (SUSE OpenStack Cloud), 10 (Debian GNU/Linux), 6 (SUSE Enterprise Storage), 8 (HPE Helion Openstack), - (Red Hat Software Collections), 9 (SUSE OpenStack Cloud), 12 (SUSE Linux Enterprise Server for SAP Applications), Crowbar 9 (SUSE OpenStack Cloud), 20.04 LTS (Ubuntu), 4.0 (SUSE CaaS Platform), 15 SP2 (SUSE Linux Enterprise Module for Public Cloud), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP1-ESPOS (SUSE Linux Enterprise High Performance Computing), 4.0 (SUSE Manager Proxy), 4.0 (SUSE Manager Retail Branch Server), 4.0 (SUSE Manager Server), 15 SP3 (SUSE Linux Enterprise Module for Server Applications), 15 SP1 (Suse Linux Enterprise Server), 11 (Debian GNU/Linux), 12 (Suse Linux Enterprise Server), 15 SP2 LTSS (Suse Linux Enterprise Server), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 15 SP3 (SUSE Linux Enterprise High Performance Computing), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 4.1 (SUSE Manager Server), 4.1 (SUSE Manager Proxy), 15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 4.1 (SUSE Manager Retail Branch Server), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), 15 SP4 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise High Performance Computing), 15 (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 15 SP3 (SUSE Linux Enterprise Module for Public Cloud), 22.04 LTS (Ubuntu), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 15 SP4 (SUSE Linux Enterprise Module for Public Cloud), 15 SP4 (SUSE Linux Enterprise Module for Server Applications), 7.1 (SUSE Enterprise Storage), 15 SP1 (SUSE Business Critical Linux), 15 SP2 (SUSE Business Critical Linux), 15 (SUSE Linux Enterprise High Performance Computing), 15 SP1 (SUSE Linux Enterprise High Performance Computing), \u0434\u043e 4.9.3 (mod_wsgi), 4.7 (Astra Linux Special Edition), \u0434\u043e 2.6 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), 2.1 (ROSA Virtualization), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f mod_wsgi:\nhttps://gihub.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-2255\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2022-2255.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2022-2255\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/notices/USN-5551-1\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f mod-wsgi \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 4.6.5-1+deb10u1\n\n\u0414\u043b\u044f Astra Linux Special Edition 1.7: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1110SE17\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2022-1121SE47\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u0440\u0435\u0434\u043e\u0439 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u00abROSA Virtualization\u00bb : https://abf.rosalinux.ru/advisories/ROSA-SA-2024-2363\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "18.07.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "22.08.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-05209",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-2255",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Ubuntu, SUSE Linux Enterprise Server for SAP Applications, Suse Linux Enterprise Server, SUSE Linux Enterprise High Performance Computing, SUSE Linux Enterprise Module for Web Scripting, Red Hat Enterprise Linux, SUSE Linux Enterprise Module for Public Cloud, SUSE OpenStack Cloud, Debian GNU/Linux, SUSE Enterprise Storage, HPE Helion Openstack, Red Hat Software Collections, SUSE CaaS Platform, SUSE Manager Proxy, SUSE Manager Retail Branch Server, SUSE Manager Server, SUSE Linux Enterprise Module for Server Applications, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), SUSE Business Critical Linux, mod_wsgi, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), ROSA Virtualization (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165091), \u0410\u041b\u042c\u0422 \u0421\u041f 10",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Canonical Ltd. Ubuntu 18.04 LTS , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4 , Novell Inc. Suse Linux Enterprise Server 12 SP3 , Novell Inc. Suse Linux Enterprise Server 12 SP4 , Red Hat Inc. Red Hat Enterprise Linux 8 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1 , Novell Inc. Suse Linux Enterprise Server 12 SP5 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 , Canonical Ltd. Ubuntu 20.04 LTS , Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP1 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , Novell Inc. Suse Linux Enterprise Server 12 , Novell Inc. Suse Linux Enterprise Server 15 SP2 LTSS , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Novell Inc. Suse Linux Enterprise Server 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. Suse Linux Enterprise Server 15 SP2 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. Suse Linux Enterprise Server 15 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Canonical Ltd. Ubuntu 22.04 LTS , Red Hat Inc. Red Hat Enterprise Linux 9 , Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.6 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb ROSA Virtualization 2.1 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165091), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f mod_wsgi \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Apache, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a\u0430 X-Client-IP, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0441\u0435\u0442\u0435\u0432\u044b\u043c \u0441\u043b\u0443\u0436\u0431\u0430\u043c",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u043d\u0435\u0435 \u043d\u0430\u0434\u0435\u0436\u043d\u043e\u0433\u043e \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430 (CWE-348)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f mod_wsgi \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Apache \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a\u0430 X-Client-IP. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0441\u0435\u0442\u0435\u0432\u044b\u043c \u0441\u043b\u0443\u0436\u0431\u0430\u043c",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://gihub.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751\nhttps://security-tracker.debian.org/tracker/CVE-2022-2255\nhttps://www.suse.com/security/cve/CVE-2022-2255.html\nhttps://access.redhat.com/security/cve/cve-2022-2255\nhttps://ubuntu.com/security/notices/USN-5551-1\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.6/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1110SE17\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2022-1121SE47\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://abf.rosalinux.ru/advisories/ROSA-SA-2024-2363\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-348",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,1)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,6)"
}
FKIE_CVE-2022-2255
Vulnerability from fkie_nvd - Published: 2022-08-25 18:15 - Updated: 2024-11-21 07:00
Severity ?
Summary
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| modwsgi | mod_wsgi | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABF101A0-DFE0-4FF4-ABA3-5A1FFB612AF3",
"versionEndExcluding": "4.9.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en mod_wsgi. El encabezado X-Client-IP no es eliminado de una solicitud procedente de un proxy no confiable, lo que permite a un atacante pasar la cabecera X-Client-IP a la aplicaci\u00f3n WSGI de destino porque falta la condici\u00f3n para eliminarla."
}
],
"id": "CVE-2022-2255",
"lastModified": "2024-11-21T07:00:37.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-25T18:15:09.993",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-348"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
bit-mod_wsgi-2022-2255
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:56
Modified
2025-04-03 14:40
Summary
Details
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "mod_wsgi",
"purl": "pkg:bitnami/mod_wsgi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.3"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-2255"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.",
"id": "BIT-mod_wsgi-2022-2255",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T10:56:14.075Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
},
{
"type": "WEB",
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255"
}
],
"schema_version": "1.5.0"
}
cve-2022-2255
Vulnerability from osv_almalinux
Published
2025-05-12 00:00
Modified
2025-05-13 12:40
Summary
Moderate: python39:3.9 security update
Details
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
- mod_wsgi: Trusted Proxy Headers Removing Bypass (CVE-2022-2255)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-PyMySQL"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.1-2.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-cffi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3-2.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-cffi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3-2.module_el8.6.0+3248+c431e88c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-chardet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.4-19.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-cryptography"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.1-3.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-idle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-idna"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10-4.module_el8.10.0+3849+a48d89aa"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.5-1.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.5-1.module_el8.6.0+3248+c431e88c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-mod_wsgi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.7.1-7.module_el8.10.0+3989+a618fe15.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-numpy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.4-3.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-numpy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.4-3.module_el8.6.0+3248+c431e88c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-numpy-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.4-3.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-numpy-f2py"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.4-3.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-numpy-f2py"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.4-3.module_el8.6.0+3248+c431e88c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-pip"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.2.4-9.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-pip-wheel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.2.4-9.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-ply"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11-10.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-psutil"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.0-4.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-psutil"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.0-4.module_el8.6.0+3248+c431e88c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-psycopg2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.6-3.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-psycopg2-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.6-3.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-psycopg2-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.6-3.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-pycparser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.20-3.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-pysocks"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-4.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-pyyaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.1-1.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-pyyaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.1-1.module_el8.6.0+3248+c431e88c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-requests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.0-3.module_el8.9.0+3634+fb2a896c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-rpm-macros"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-scipy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.4-5.module_el8.9.0+3634+fb2a896c"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-setuptools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "50.3.2-6.module_el8.10.0+3885+d986a391"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-setuptools-wheel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "50.3.2-6.module_el8.10.0+3885+d986a391"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-six"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.0-3.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-test"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-tkinter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.20-1.module_el8.10.0+3902+1690be06"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-toml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.1-5.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-urllib3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.10-5.module_el8.10.0+3765+2f9a457d"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-wheel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:0.35.1-4.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python39-wheel-wheel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:0.35.1-4.module_el8.6.0+2780+a40f65e1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. \n\nSecurity Fix(es): \n\n * mod_wsgi: Trusted Proxy Headers Removing Bypass (CVE-2022-2255)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:4791",
"modified": "2025-05-13T12:40:24Z",
"published": "2025-05-12T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:4791"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-2255"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2100563"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2025-4791.html"
}
],
"related": [
"CVE-2022-2255"
],
"summary": "Moderate: python39:3.9 security update"
}
GSD-2022-2255
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-2255",
"description": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.",
"id": "GSD-2022-2255",
"references": [
"https://www.suse.com/security/cve/CVE-2022-2255.html",
"https://advisories.mageia.org/CVE-2022-2255.html",
"https://ubuntu.com/security/CVE-2022-2255"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-2255"
],
"details": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.",
"id": "GSD-2022-2255",
"modified": "2023-12-13T01:19:19.572551Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-2255",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mod_wsgi",
"version": {
"version_data": [
{
"version_value": "mod_wsgi versions prior to 4.9.3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-348"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html",
"refsource": "MISC",
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941",
"refsource": "MISC",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082",
"refsource": "MISC",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.9.3",
"affected_versions": "All versions before 4.9.3",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-08-30",
"description": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.",
"fixed_versions": [
"4.9.3"
],
"identifier": "CVE-2022-2255",
"identifiers": [
"GHSA-7527-8855-9cf8",
"CVE-2022-2255"
],
"not_impacted": "All versions starting from 4.9.3",
"package_slug": "pypi/mod-wsgi",
"pubdate": "2022-08-26",
"solution": "Upgrade to version 4.9.3 or above.",
"title": "Incorrect header handling in mod-wsgi",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-2255",
"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941",
"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082",
"https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html",
"https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751",
"https://github.com/advisories/GHSA-7527-8855-9cf8"
],
"uuid": "b71243e4-90f7-4aaa-8743-4656c76c2a78"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.9.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-2255"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"name": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"name": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"name": "[debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-10-01T02:31Z",
"publishedDate": "2022-08-25T18:15Z"
}
}
}
PYSEC-2022-254
Vulnerability from pysec - Published: 2022-08-25 18:15 - Updated: 2022-08-31 18:46
VLAI?
Details
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Impacted products
| Name | purl | mod-wsgi | pkg:pypi/mod-wsgi |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mod-wsgi",
"purl": "pkg:pypi/mod-wsgi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.1.0",
"4.1.1",
"4.1.2",
"4.1.3",
"4.2.0",
"4.2.1",
"4.2.2",
"4.2.3",
"4.2.4",
"4.2.5",
"4.2.6",
"4.2.7",
"4.2.8",
"4.3.0",
"4.3.1",
"4.3.2",
"4.4.0",
"4.4.1",
"4.4.10",
"4.4.11",
"4.4.12",
"4.4.13",
"4.4.14",
"4.4.15",
"4.4.16",
"4.4.17",
"4.4.18",
"4.4.19",
"4.4.2",
"4.4.20",
"4.4.21",
"4.4.22",
"4.4.23",
"4.4.3",
"4.4.4",
"4.4.5",
"4.4.6",
"4.4.7",
"4.4.8",
"4.4.9",
"4.5.0",
"4.5.1",
"4.5.10",
"4.5.11",
"4.5.12",
"4.5.13",
"4.5.14",
"4.5.15",
"4.5.16",
"4.5.17",
"4.5.18",
"4.5.19",
"4.5.2",
"4.5.20",
"4.5.21",
"4.5.22",
"4.5.23",
"4.5.24",
"4.5.3",
"4.5.4",
"4.5.5",
"4.5.6",
"4.5.7",
"4.5.8",
"4.5.9",
"4.6.0",
"4.6.1",
"4.6.2",
"4.6.3",
"4.6.4",
"4.6.5",
"4.6.6",
"4.6.7",
"4.6.8",
"4.7.0",
"4.7.1",
"4.8.0",
"4.9.0",
"4.9.1",
"4.9.2"
]
}
],
"aliases": [
"CVE-2022-2255",
"GHSA-7527-8855-9cf8"
],
"details": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.",
"id": "PYSEC-2022-254",
"modified": "2022-08-31T18:46:04.047573Z",
"published": "2022-08-25T18:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"type": "WEB",
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7527-8855-9cf8"
}
]
}
GHSA-7527-8855-9CF8
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2024-09-25 20:02
VLAI?
Summary
Incorrect header handling in mod-wsgi
Details
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mod-wsgi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2255"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-30T20:55:04Z",
"nvd_published_at": "2022-08-25T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.",
"id": "GHSA-7527-8855-9cf8",
"modified": "2024-09-25T20:02:55Z",
"published": "2022-08-26T00:03:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255"
},
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751"
},
{
"type": "PACKAGE",
"url": "https://github.com/GrahamDumpleton/mod_wsgi"
},
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"
},
{
"type": "WEB",
"url": "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mod-wsgi/PYSEC-2022-254.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"
},
{
"type": "WEB",
"url": "https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Incorrect header handling in mod-wsgi"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…