Описание
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access to the platform is granted only after successful hard token, multi-factor authentication (MFA), which is coupled with account management controls, including integration with single sign-on (SSO), to ensure that user permissions are restricted to only the functions necessary for their roles. Access to sensitive information is explicitly authorized and enforced based on predefined access policies. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, which helps identify patterns of unauthorized access or data exposure. The platform enforces the use of validated cryptographic modules across compute resources to protect the confidentiality of information, even in the event of interception.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Affected | ||
| Node Maintenance Operator | workload-availability/node-maintenance-rhel8-operator | Affected | ||
| OpenShift Developer Tools and Services | helm | Affected | ||
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines-client | Will not fix | ||
| Red Hat 3scale API Management Platform 2 | 3scale-operator-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/work-rhel8 | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | openshift-clients | Affected | ||
| Red Hat Ansible Automation Platform 2 | receptor | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Improper exposure of client IP addresses in net/http before Go 1.17.12 ...
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
EPSS
6.5 Medium
CVSS3