logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-41338 github.com/gofiber/fiber

Package

Manager: go
Name: github.com/gofiber/fiber
Vulnerable Version: >=0 <=1.14.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00334 pctl0.55605

Details

Fiber unauthorized access vulnerability in `ctx.IsFromLocal()` ### Impact This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. In it's implementation it uses c.IPs(): ```go // IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header. // When IP validation is enabled, only valid IPs are returned. func (c *Ctx) IPs() []string { return c.extractIPsFromHeader(HeaderXForwardedFor) } ``` Thereby, setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) ### Patches This issue has been patched in `v2.49.2` with commit [b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc](https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc) ### Workarounds Currently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released. ### References For further information and context regarding this security issue, please refer to the following resources: - [Mozilla Developer Network - X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)

Metadata

Created: 2023-09-08T13:27:21Z
Modified: 2023-09-11T14:39:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3q5p-3558-364f/GHSA-3q5p-3558-364f.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-3q5p-3558-364f
Finding: F164
Auto approve: 1