Vulnerability DatabaseCVE-2022-2255
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-2255
August 25, 2022
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Affected Packages
mod-wsgi (PYTHON):
Affected version(s) >=4.1.0 <4.9.3
Fix Suggestion:
Update to version 4.9.3
Related Resources (10)
https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html
https://github.com/GrahamDumpleton/mod_wsgi
https://github.com/advisories/GHSA-7527-8855-9cf8
https://access.redhat.com/security/cve/CVE-2022-2255
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html
https://nvd.nist.gov/vuln/detail/CVE-2022-2255
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
https://github.com/pypa/advisory-database/tree/main/vulns/mod-wsgi/PYSEC-2022-254.yaml
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Use of Less Trusted Source
CWE-348
Insufficient Verification of Data Authenticity
CWE-345
EPSS
Base Score:
0.49