Home > Vulnerability Database > CVE-2023-41338

Mend.io Vulnerability Database

CVE-2023-41338

Good to know:

Date: September 8, 2023

Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.

Language: Go

Severity Score

5.3

Related Resources (6)

Url: https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f

Url: https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-41338

Url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

Url: https://docs.gofiber.io/api/ctx#isfromlocal

Url: https://www.mend.io/vulnerability-database/CVE-2023-41338

Severity Score

5.3

Weakness Type (CWE)

Always-Incorrect Control Flow Implementation

CWE-670

Top Fix

Upgrade Version

Upgrade to version v2.49.2

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-41338

Good to know:

Date: September 8, 2023

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?