CVE-2009-3287
Thin < 1.2.4 - IP Address Spoofing via X-Forwarded-For Header
Title source: llmDescription
lib/thin/connection.rb in Thin web server before 1.2.4 relies on the X-Forwarded-For header to determine the IP address of the client, which allows remote attackers to spoof the IP address and hide activities via a modified X-Forwarded-For header.
References (3)
Core 3
Core References
Various Sources x_refsource_confirm
http://github.com/macournoyer/thin/blob/master/CHANGELOG
Patch x_refsource_confirm
http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/09/12/1
Scores
EPSS
0.0048
EPSS Percentile
65.1%
Details
CWE
CWE-20
Status
published
Products (22)
macournoyer/thin
0.4.0
macournoyer/thin
0.4.1
macournoyer/thin
0.5.0
macournoyer/thin
0.5.1
macournoyer/thin
0.5.2
macournoyer/thin
0.5.3
macournoyer/thin
0.5.4
macournoyer/thin
0.6.0
macournoyer/thin
0.6.3
macournoyer/thin
0.6.4
... and 12 more
Published
Sep 22, 2009
Tracked Since
Feb 18, 2026