logo

Database

Spoofing In github.com/caddyserver/caddy

Description

Header spoofing in caddy-geo-ip The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-504632. NVD-2023-504633. OSV-2023-504634. GCVE-2023-50463

References

1. https://caddyserver.com/v22. https://github.com/shift72/caddy-geo-ip/issues/43. https://github.com/shift72/caddy-geo-ip/tags

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.