CVE-2022-2255
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-2255
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2255.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-2255
- Aliases
- Downstream
- Related
- Published
- 2022-08-25T18:15:09.993Z
- Modified
- 2025-11-14T12:55:29.713117Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
- References
-
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
- https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html
- https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html
Affected packages
Git / github.com/grahamdumpleton/mod_wsgi
Affected ranges
- Type
- GIT
- Repo
- https://github.com/grahamdumpleton/mod_wsgi
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0
1.0c1
1.0c2
1.0c3
1.0c4
2.*
2.0
2.0c1
2.0c2
2.0c3
2.0c4
2.0c5
3.*
3.0
3.0c1
3.0c2
3.0c3
3.0c4
3.0c5
3.0c6
3.1
3.2
3.3
3.4
3.4c1
3.5
4.*
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
4.4.10
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.17
4.4.18
4.4.19
4.4.2
4.4.20
4.4.21
4.4.22
4.4.23
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.5.0
4.5.1
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.17
4.5.18
4.5.19
4.5.2
4.5.20
4.5.21
4.5.22
4.5.23
4.5.24
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.7.0
4.7.1
4.8.0
4.9.0
4.9.1
4.9.2