GHSA-87pf-7x99-5xc4

Source

https://github.com/advisories/GHSA-87pf-7x99-5xc4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-87pf-7x99-5xc4/GHSA-87pf-7x99-5xc4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-87pf-7x99-5xc4

Published

2024-05-23T19:27:33Z

Modified

2024-11-28T05:40:22.033023Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Silverstripe Hostname, IP and Protocol Spoofing through HTTP Headers

Details

In it's default configuration, SilverStripe trusts all originating IPs to include HTTP headers for Hostname, IP and Protocol. This enables reverse proxies to forward requests while still retaining the original request information. Trusted IPs can be limited via the SSTRUSTEDPROXY_IPS constant. Even with this restriction in place, SilverStripe trusts a variety of HTTP headers due to different proxy notations (e.g. X-Forwarded-For vs. Client-IP). Unless a proxy explicitly unsets invalid HTTP headers from connecting clients, this can lead to spoofing requests being passed through trusted proxies.

The impact of spoofed headers can include Director::forceSSL() not being enforced, SS_HTTPRequest->getIP() returning a wrong IP (disabling any IP restrictions), and spoofed hostnames circumventing any hostname-specific restrictions enforced in SilverStripe Controllers.

Regardless on running a reverse proxy in your hosting infrastructure, please follow the instructions on Secure Coding: Request hostname forgery in order to opt-in to these protections. If your website is not behind a reverse proxy, you might already be protected if using Apache with mod_env enabled, and you have the following line in your .htaccess file: SetEnv BlockUntrustedIPs true.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T19:27:33Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.17

Affected versions

2.*

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

3.*

3.0.2.1

3.0.3-rc1

3.0.3-rc2

3.0.3

3.0.4

3.0.5

3.0.6-rc1

3.0.6-rc2

3.0.6

3.0.7-rc1

3.0.7

3.0.8

3.0.9-rc1

3.0.9

3.0.10-rc1

3.0.10

3.0.11-rc1

3.0.11

3.0.12

3.0.13

3.0.14

3.1.0-beta1

3.1.0-beta2

3.1.0-beta3

3.1.0-rc1

3.1.0-rc2

3.1.0-rc3

3.1.0

3.1.1

3.1.2-rc1

3.1.2

3.1.3-rc1

3.1.3-rc2

3.1.3

3.1.4-rc1

3.1.4

3.1.5-rc1

3.1.5

3.1.6-rc1

3.1.6-rc2

3.1.6-rc3

3.1.6

3.1.7-rc1

3.1.7

3.1.8

3.1.9-rc1

3.1.9

3.1.10-rc1

3.1.10-rc2

3.1.10

3.1.11-rc1

3.1.11

3.1.12

3.1.13-rc1

3.1.13

3.1.14-rc1

3.1.14

3.1.15

3.1.16-rc1

3.1.16

3.1.17-rc1

3.1.17-rc2

Database specific

{
    "last_known_affected_version_range": "<= 3.1.16"
}

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.2

Affected versions

3.*

3.2.0

3.2.1-rc1

3.2.1-rc2

3.2.1

3.2.2-rc1

3.2.2-rc2

Database specific

{
    "last_known_affected_version_range": "<= 3.2.1"
}

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0-beta1

Fixed

3.3.0

Affected versions

3.*

3.3.0-beta1

3.3.0-rc1

3.3.0-rc2

3.3.0-rc3