GHSA-7527-8855-9cf8

Source

https://github.com/advisories/GHSA-7527-8855-9cf8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-7527-8855-9cf8/GHSA-7527-8855-9cf8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7527-8855-9cf8

Aliases

Published

2022-08-26T00:03:30Z

Modified

2024-09-25T20:23:43.629378Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Incorrect header handling in mod-wsgi

Details

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

Database specific

{
    "nvd_published_at": "2022-08-25T18:15:00Z",
    "cwe_ids": [
        "CWE-345"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-30T20:55:04Z"
}

References

Affected packages

PyPI / mod-wsgi

Package

Name: mod-wsgi; View open source insights on deps.dev
Purl: pkg:pypi/mod-wsgi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.9.3

Affected versions

4.*

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.17

4.4.18

4.4.19

4.4.20

4.4.21

4.4.22

4.4.23

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.17

4.5.18

4.5.19

4.5.20

4.5.21

4.5.22

4.5.23

4.5.24

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.7.0

4.7.1

4.8.0

4.9.0

4.9.1

4.9.2