CVE-2022-23556

2022-12-2219:15:09

CWE-345

[email protected]

web.nvd.nist.gov

codeigniter

php

framework

vulnerability

ip spoofing

patch

security

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.6%

JSON

CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure Config\App::$proxyIPs. As a workaround, do not use $request->getIPAddress().

Affected configurations

Vulners

NVD

Node

codeigniter4codeigniter4Range<4.2.11

CPENameOperatorVersion
codeigniter:codeignitercodeigniterlt4.2.11

CPE	Name	Operator	Version
codeigniter:codeigniter	codeigniter	lt	4.2.11

CNA Affected

[
  {
    "vendor": "codeigniter4",
    "product": "CodeIgniter4",
    "versions": [
      {
        "version": "< 4.2.11",
        "status": "affected"
      }
    ]
  }
]