{"id":"CVE-2022-2255","details":"A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.","aliases":["BIT-mod_wsgi-2022-2255","GHSA-7527-8855-9cf8","PYSEC-2022-254"],"modified":"2026-04-16T00:07:03.495613542Z","published":"2022-08-25T18:15:09.993Z","related":["ALSA-2025:4791","SUSE-SU-2022:4010-1","SUSE-SU-2022:4013-1","SUSE-SU-2022:4488-1","openSUSE-SU-2024:12535-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"10.0"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00021.html"},{"type":"ADVISORY","url":"https://modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.html"},{"type":"EVIDENCE","url":"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941"},{"type":"EVIDENCE","url":"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grahamdumpleton/mod_wsgi","events":[{"introduced":"0"},{"fixed":"a376ffc899a160e8ee91160e2da76edcfa260b31"}],"database_specific":{"cpe":"cpe:2.3:a:modwsgi:mod_wsgi:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"4.9.3"}],"source":"CPE_FIELD"}}],"versions":["1.0","1.0c1","1.0c2","1.0c3","1.0c4","2.0","2.0c1","2.0c2","2.0c3","2.0c4","2.0c5","3.0","3.0c1","3.0c2","3.0c3","3.0c4","3.0c5","3.0c6","3.1","3.2","3.3","3.4","3.4c1","3.5","4.1.0","4.1.1","4.1.2","4.1.3","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.8","4.3.0","4.3.1","4.3.2","4.4.0","4.4.1","4.4.10","4.4.11","4.4.12","4.4.13","4.4.14","4.4.15","4.4.16","4.4.17","4.4.18","4.4.19","4.4.2","4.4.20","4.4.21","4.4.22","4.4.23","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.5.0","4.5.1","4.5.10","4.5.11","4.5.12","4.5.13","4.5.14","4.5.15","4.5.16","4.5.17","4.5.18","4.5.19","4.5.2","4.5.20","4.5.21","4.5.22","4.5.23","4.5.24","4.5.3","4.5.4","4.5.5","4.5.6","4.5.7","4.5.8","4.5.9","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4","4.8.0","4.9.0","4.9.1","4.9.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2255.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}