PYSEC-2022-254
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/mod-wsgi/PYSEC-2022-254.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2022-254
- Aliases
- Published
- 2022-08-25T18:15:00Z
- Modified
- 2023-12-06T00:46:55.603738Z
- Summary
- [none]
- Details
-
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
- References
-
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
- https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
- https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html
- https://github.com/advisories/GHSA-7527-8855-9cf8
Affected packages
PyPI / mod-wsgi
Package
- Name
- mod-wsgi
- View open source insights on deps.dev
- Purl
- pkg:pypi/mod-wsgi
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.9.3
Affected versions
4.*
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.17
4.4.18
4.4.19
4.4.20
4.4.21
4.4.22
4.4.23
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.17
4.5.18
4.5.19
4.5.20
4.5.21
4.5.22
4.5.23
4.5.24
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.7.0
4.7.1
4.8.0
4.9.0
4.9.1
4.9.2