GitHub Advisory DatabaseGHSA-GHW3-5QVM-3MQCCodeIgniter4 allows spoofing of IP address when using proxy
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
29.4%
Impact
This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.
Patches
Upgrade to v4.2.11 or later, and configure Config\App::$proxyIPs.
Workarounds
Do not use $request->getIPAddress().
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| codeigniter4/framework | lt | 4.2.11 |
References
codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter\HTTP\Request::getIPAddress
github.com/advisories/GHSA-ghw3-5qvm-3mqc
github.com/codeigniter4/CodeIgniter4/commit/5ca8c99b2db09a2a08a013836628028ddc984659
github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-3mqc
github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-23556.yaml
nvd.nist.gov/vuln/detail/CVE-2022-23556
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
29.4%