{"id":"BIT-mod_wsgi-2022-2255","details":"A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.","aliases":["CVE-2022-2255","GHSA-7527-8855-9cf8","PYSEC-2022-254"],"modified":"2025-04-03T14:40:37.652Z","published":"2024-03-06T10:56:14.075Z","database_specific":{"severity":"High","cpes":["cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"},{"type":"WEB","url":"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"},{"type":"WEB","url":"https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2255"}],"affected":[{"package":{"name":"mod_wsgi","ecosystem":"Bitnami","purl":"pkg:bitnami/mod_wsgi"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.9.3"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/mod_wsgi/BIT-mod_wsgi-2022-2255.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}],"schema_version":"1.7.3"}