{"id":"PYSEC-2022-254","details":"A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.","aliases":["BIT-mod_wsgi-2022-2255","CVE-2022-2255","GHSA-7527-8855-9cf8"],"modified":"2023-12-06T01:01:57.549700Z","published":"2022-08-25T18:15:00Z","references":[{"type":"WEB","url":"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"},{"type":"WEB","url":"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"},{"type":"WEB","url":"https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-7527-8855-9cf8"}],"affected":[{"package":{"name":"mod-wsgi","ecosystem":"PyPI","purl":"pkg:pypi/mod-wsgi"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.9.3"}]}],"versions":["4.1.0","4.1.1","4.1.2","4.1.3","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.10","4.4.11","4.4.12","4.4.13","4.4.14","4.4.15","4.4.16","4.4.17","4.4.18","4.4.19","4.4.2","4.4.20","4.4.21","4.4.22","4.4.23","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.5.0","4.5.1","4.5.10","4.5.11","4.5.12","4.5.13","4.5.14","4.5.15","4.5.16","4.5.17","4.5.18","4.5.19","4.5.2","4.5.20","4.5.21","4.5.22","4.5.23","4.5.24","4.5.3","4.5.4","4.5.5","4.5.6","4.5.7","4.5.8","4.5.9","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4","4.6.5","4.6.6","4.6.7","4.6.8","4.7.0","4.7.1","4.8.0","4.9.0","4.9.1","4.9.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mod-wsgi/PYSEC-2022-254.yaml"}}],"schema_version":"1.7.3"}