CVE-2022-2255
HIGHmod_wsgi < 4.9.3 - Unauthenticated Header Spoofing via X-Client-IP
Title source: llmDescription
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
References (4)
Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
Exploit, Third Party Advisory x_refsource_misc
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html
Scores
CVSS v3
7.5
EPSS
0.0046
EPSS Percentile
64.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-345
CWE-348
Status
published
Products (3)
debian/debian_linux
10.0
modwsgi/mod_wsgi
< 4.9.3
pypi/mod-wsgi
0 - 4.9.3PyPI
Published
Aug 25, 2022
Tracked Since
Feb 18, 2026