StarlingX

[Debian] High CVE: CVE-2022-2255: mod-wsgi: pass the X-Client-IP header to the target WSGI application

Bug #2021482 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
hqbai

Bug Description

CVE-2022-2255: https://nvd.nist.gov/vuln/detail/CVE-2022-2255

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

Base Score: High

References:

https://security-tracker.debian.org/tracker/CVE-2022-2255

['libapache2-mod-wsgi-py3_4.7.1-3_amd64.deb===>libapache2-mod-wsgi-py3_4.7.1-3+deb11u1_amd64.deb']

CVE References

hqbai (hbai)
Changed in starlingx:
assignee: nobody → hqbai (hbai)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/886236

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as Fix Released. https://review.opendev.org/c/starlingx/tools/+/886236 merged on June 24.

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.