CVE-2022-34914

Published: Jul 8, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

Webswing before 22.1.3 allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page. The {clientIp} variable can be used as an application startup argument. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. Systems that do not use the clientIP variable in the configuration are not vulnerable. The vulnerability is fixed in these versions: 20.1.16, 20.2.19, 21.1.8, 21.2.12, and 22.1.3.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.webswing.org/docs/20.1/faq/client_ip.html

x_refsource_MISC

https://www.webswing.org/blog/header-injection-vulnerability-cve-2022-34914

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-34914

Description

Affected Products

References