ALT-PU-2023-7563-3
Package apache2-mod_wsgi updated to version 4.9.4-alt1 for branch c9f2 in task 335046.
Closed vulnerabilities
Published: 2022-07-18
BDU:2022-05209
Уязвимость модуля mod_wsgi веб-сервера Apache, связанная с ошибками при обработке заголовока X-Client-IP, позволяющая нарушителю получить несанкционированный доступ к сетевым службам
Severity: MEDIUM (5.6)
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2022-08-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-2255
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
- [debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update
- [debian-lts-announce] 20220915 [SECURITY] [DLA 3111-1] mod-wsgi security update
- https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html
- https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html