CVE-2023-50463
published 2023-12-10CVE-2023-50463: The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address…
PriorityP431medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
0.66%
46.7th percentile
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | <= 0.6.0 | — |
| github.com | shift72_caddy-geo-ip | 0 – 0.6.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Spoofed source IP address in github.com/shift72/caddy-geo-ip
osv·2024-01-02
CVE-2023-50463 Spoofed source IP address in github.com/shift72/caddy-geo-ip
Spoofed source IP address in github.com/shift72/caddy-geo-ip
The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
GHSA
Header spoofing in caddy-geo-ip
ghsa·2023-12-11
CVE-2023-50463 [MEDIUM] CWE-290 Header spoofing in caddy-geo-ip
Header spoofing in caddy-geo-ip
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
OSV
Header spoofing in caddy-geo-ip
osv·2023-12-11
CVE-2023-50463 [MEDIUM] Header spoofing in caddy-geo-ip
Header spoofing in caddy-geo-ip
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-12-10
Published