Your submission was sent successfully! Close

CVE-2022-2255

Published: 22 July 2022

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
mod-wsgi
Launchpad, Ubuntu, Debian
bionic
Released (4.5.17-1ubuntu1.1)
focal
Released (4.6.8-1ubuntu3.1)
jammy
Released (4.9.0-1ubuntu0.1)
kinetic
Released (4.9.0-1ubuntu1)
trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable

Patches:
upstream: https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751