CVE-2023-50463 - Vulnerability Details - OpenCVE

ReportizFlow

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Caddyserver	Caddy

Configuration 1 [-]

cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://caddyserver.com/v2
https://github.com/shift72/caddy-geo-ip/issues/4
https://github.com/shift72/caddy-geo-ip/tags

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-12-10T00:00:00

Updated: 2024-08-02T22:16:46.761Z

Reserved: 2023-12-10T00:00:00

Link: CVE-2023-50463

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-10T23:15:07.247

Modified: 2024-11-21T08:37:02.300

Link: CVE-2023-50463

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7FEAAE7-1B58-403B-A74C-3E7C3A1229E6", "versionEndIncluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions)."}, {"lang": "es", "value": "El middleware caddy-geo-ip (tambi\u00e9n conocido como GeoIP) hasta la versi\u00f3n 0.6.0 para Caddy 2, cuando se utiliza trust_header X-Forwarded-For, permite a los atacantes falsificar su direcci\u00f3n IP de origen a trav\u00e9s de un encabezado X-Forwarded-For, que puede eludir un mecanismo de protecci\u00f3n (directiva Trusted_proxy en Reverse_Proxy o restricciones de rango de direcciones IP)."}], "id": "CVE-2023-50463", "lastModified": "2024-11-21T08:37:02.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-12-10T23:15:07.247", "references": [{"source": "[email protected]", "tags": ["Broken Link"], "url": "https://caddyserver.com/v2"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/shift72/caddy-geo-ip/issues/4"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/shift72/caddy-geo-ip/tags"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://caddyserver.com/v2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/shift72/caddy-geo-ip/issues/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/shift72/caddy-geo-ip/tags"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "[email protected]", "type": "Primary"}]}