CVE-2022-2255 — Use of Less Trusted Source in MOD Wsgi

CWE-348 — Use of Less Trusted Source CWE-345 — Insufficient Verification of Data Authenticity8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Modwsgi MOD Wsgi Debian Mod-wsgi Debian Linux +1 more

Timeline

PublishedAug 25

Latest updateAug 26

Description

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/mod-wsgi< mod-wsgi 4.9.0-1.1 (bookworm)

▶NVDmodwsgi/mod_wsgi< 4.9.3

▶CVEListV5modwsgi/mod_wsgimod_wsgi versions prior to 4.9.3

▶msrcmsrc/cbl2_mod_wsgi_4.9.3-2_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

Incorrect header handling in mod-wsgi↗2022-08-26

▶

OSV

Incorrect header handling in mod-wsgi↗2022-08-26

▶

OSV

CVE-2022-2255: A vulnerability was found in mod_wsgi↗2022-08-25

▶

📋Vendor Advisories

Microsoft

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy allowing an attacker to pass the X-Client-IP header to the target WSGI application b↗2022-08-09

▶

Ubuntu

mod-wsgi vulnerability↗2022-08-04

▶

Red Hat

mod_wsgi: Trusted Proxy Headers Removing Bypass↗2022-07-18

▶

Debian

CVE-2022-2255: mod-wsgi - A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed fro...↗2022

▶