{"schema_version":"1.7.2","id":"OESA-2022-1827","modified":"2022-08-13T11:04:07Z","published":"2022-08-13T11:04:07Z","upstream":["CVE-2022-2255"],"summary":"mod_wsgi security update","details":"The mod_wsgi adapter is an Apache module that provides a WSGI compliant interface for hosting Python based web applications within Apache. The adapter is written completely in C code against the Apache C runtime andfor hosting WSGI applications within Apache has a lower overhead than using existing WSGI adapters for mod_python or CGI.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.\r\n\r\nReferences:\nhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941\nhttps://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082(CVE-2022-2255)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"mod_wsgi","purl":"pkg:rpm/openEuler/mod_wsgi\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.6.4-3.oe1"}]}],"ecosystem_specific":{"aarch64":["mod_wsgi-debuginfo-4.6.4-3.oe1.aarch64.rpm","python3-mod_wsgi-4.6.4-3.oe1.aarch64.rpm","mod_wsgi-debugsource-4.6.4-3.oe1.aarch64.rpm"],"src":["mod_wsgi-4.6.4-3.oe1.src.rpm"],"x86_64":["python3-mod_wsgi-4.6.4-3.oe1.x86_64.rpm","mod_wsgi-debugsource-4.6.4-3.oe1.x86_64.rpm","mod_wsgi-debuginfo-4.6.4-3.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"mod_wsgi","purl":"pkg:rpm/openEuler/mod_wsgi\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.6.4-3.oe1"}]}],"ecosystem_specific":{"aarch64":["python3-mod_wsgi-4.6.4-3.oe1.aarch64.rpm","mod_wsgi-debugsource-4.6.4-3.oe1.aarch64.rpm","mod_wsgi-debuginfo-4.6.4-3.oe1.aarch64.rpm"],"src":["mod_wsgi-4.6.4-3.oe1.src.rpm"],"x86_64":["python3-mod_wsgi-4.6.4-3.oe1.x86_64.rpm","mod_wsgi-debuginfo-4.6.4-3.oe1.x86_64.rpm","mod_wsgi-debugsource-4.6.4-3.oe1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS","name":"mod_wsgi","purl":"pkg:rpm/openEuler/mod_wsgi\u0026distro=openEuler-22.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.6.4-3.oe2203"}]}],"ecosystem_specific":{"aarch64":["python3-mod_wsgi-4.6.4-3.oe2203.aarch64.rpm","mod_wsgi-debuginfo-4.6.4-3.oe2203.aarch64.rpm","mod_wsgi-debugsource-4.6.4-3.oe2203.aarch64.rpm"],"src":["mod_wsgi-4.6.4-3.oe2203.src.rpm"],"x86_64":["mod_wsgi-debugsource-4.6.4-3.oe2203.x86_64.rpm","python3-mod_wsgi-4.6.4-3.oe2203.x86_64.rpm","mod_wsgi-debuginfo-4.6.4-3.oe2203.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1827"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2255"}],"database_specific":{"severity":"Medium"}}