Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-ghw3-5qvm-3mqc: CodeIgniter4 allows spoofing of IP address when using proxy

Impact

This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.

Patches

Upgrade to v4.2.11 or later, and configure Config\App::$proxyIPs.

Workarounds

Do not use $request->getIPAddress().

References

  • https://codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter\HTTP\Request::getIPAddress

For more information

If you have any questions or comments about this advisory:

ghsa
Open in Source
#vulnerability#git

CodeIgniter4 allows spoofing of IP address when using proxy

High severity GitHub Reviewed Published Dec 22, 2022 in codeigniter4/CodeIgniter4 • Updated Dec 22, 2022

Related news

CVE-2022-23556: Merge pull request from GHSA-ghw3-5qvm-3mqc · codeigniter4/CodeIgniter4@5ca8c99

CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`.

ghsa: Latest News

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters
ghsa