发布时间: 2022年8月13日
修改时间: 2024年10月31日
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.References:https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082
| NVD | openEuler | |
|---|---|---|
| Confidentiality | None | Low |
| Attack Vector | Network | Network |
| CVSS评分 | 7.5 | 5.6 |
| Attack Complexity | Low | High |
| Privileges Required | None | None |
| Scope | Unchanged | Unchanged |
| Integrity | High | Low |
| User Interaction | None | None |
| Availability | None | Low |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2022-1910 | mod_wsgi security update | 2022年8月13日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | mod_wsgi | Fixed |
| KY3.4-5A | mod_wsgi | Fixed |
| KY3.5.1 | mod_wsgi | Fixed |
