High severityNVD Advisory· Published Aug 25, 2022· Updated Aug 3, 2024
CVE-2022-2255
CVE-2022-2255
Description
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mod-wsgiPyPI | < 4.9.3 | 4.9.3 |
Affected products
58- osv-coords57 versionspkg:bitnami/mod_wsgipkg:pypi/mod-wsgipkg:rpm/almalinux/python39pkg:rpm/almalinux/python39-cffipkg:rpm/almalinux/python39-chardetpkg:rpm/almalinux/python39-cryptographypkg:rpm/almalinux/python39-develpkg:rpm/almalinux/python39-idlepkg:rpm/almalinux/python39-idnapkg:rpm/almalinux/python39-libspkg:rpm/almalinux/python39-lxmlpkg:rpm/almalinux/python39-mod_wsgipkg:rpm/almalinux/python39-numpypkg:rpm/almalinux/python39-numpy-docpkg:rpm/almalinux/python39-numpy-f2pypkg:rpm/almalinux/python39-pippkg:rpm/almalinux/python39-pip-wheelpkg:rpm/almalinux/python39-plypkg:rpm/almalinux/python39-psutilpkg:rpm/almalinux/python39-psycopg2pkg:rpm/almalinux/python39-psycopg2-docpkg:rpm/almalinux/python39-psycopg2-testspkg:rpm/almalinux/python39-pycparserpkg:rpm/almalinux/python39-PyMySQLpkg:rpm/almalinux/python39-pysockspkg:rpm/almalinux/python39-pyyamlpkg:rpm/almalinux/python39-requestspkg:rpm/almalinux/python39-rpm-macrospkg:rpm/almalinux/python39-scipypkg:rpm/almalinux/python39-setuptoolspkg:rpm/almalinux/python39-setuptools-wheelpkg:rpm/almalinux/python39-sixpkg:rpm/almalinux/python39-testpkg:rpm/almalinux/python39-tkinterpkg:rpm/almalinux/python39-tomlpkg:rpm/almalinux/python39-urllib3pkg:rpm/almalinux/python39-wheelpkg:rpm/almalinux/python39-wheel-wheelpkg:rpm/opensuse/apache2-mod_wsgi&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/apache2-mod_wsgi&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/apache2-mod_wsgi&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/apache2-mod_wsgi-python3&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/apache2-mod_wsgi-python3&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/apache2-mod_wsgi&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP1pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/apache2-mod_wsgi&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/apache2-mod_wsgi-python3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/apache2-mod_wsgi-python3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/apache2-mod_wsgi-python3&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/apache2-mod_wsgi-python3&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/apache2-mod_wsgi-python3&distro=SUSE%20Manager%20Proxy%20Module%204.3
< 4.9.3+ 56 more
- (no CPE)range: < 4.9.3
- (no CPE)range: < 4.9.3
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 1.14.3-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.0.4-19.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.3.1-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 2.10-4.module_el8.10.0+3849+a48d89aa
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 4.6.5-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 4.7.1-7.module_el8.10.0+3989+a618fe15.1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 20.2.4-9.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 20.2.4-9.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 3.11-10.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 5.8.0-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.8.6-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 2.8.6-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 2.8.6-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 2.20-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.10.1-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.7.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 5.4.1-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.25.0-3.module_el8.9.0+3634+fb2a896c
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 1.5.4-5.module_el8.9.0+3634+fb2a896c
- (no CPE)range: < 50.3.2-6.module_el8.10.0+3885+d986a391
- (no CPE)range: < 50.3.2-6.module_el8.10.0+3885+d986a391
- (no CPE)range: < 1.15.0-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 3.9.20-1.module_el8.10.0+3902+1690be06
- (no CPE)range: < 0.10.1-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.25.10-5.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 1:0.35.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1:0.35.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.7.1-150400.3.3.1
- (no CPE)range: < 4.9.4-1.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.4.13-3.3.1
- (no CPE)range: < 4.4.13-3.3.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.7.1-150400.3.3.1
- (no CPE)range: < 4.4.13-3.3.1
- (no CPE)range: < 4.4.13-3.3.1
- (no CPE)range: < 4.4.13-3.3.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
- (no CPE)range: < 4.5.18-150000.4.6.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-7527-8855-9cf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2255ghsaADVISORY
- github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.cghsax_refsource_MISCWEB
- github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.cghsax_refsource_MISCWEB
- github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/mod-wsgi/PYSEC-2022-254.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2022/09/msg00021.htmlghsamailing-listx_refsource_MLISTWEB
- modwsgi.readthedocs.io/en/latest/release-notes/version-4.9.3.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.