IgnoreIP/IgnoreCIDR should not trust X-Forwarded-For

Critical

wargio published GHSA-7qjc-q4j9-pc8x

Oct 11, 2023

Package

naxsi (NGINX)

Affected versions

>= 1.3

Patched versions

1.6

Description

Impact

Allows to bypass the WAF when a malicious X-Forwarded-For IP matches IgnoreIP IgnoreCIDR rules.

This old code was arranged to allow older NGINX versions to also support IgnoreIP IgnoreCIDR when multiple reverse proxies were present.

Patches

Patched in 1b71252

Workarounds

Do not set any IgnoreIP IgnoreCIDR for older versions.

References

Severity

Critical

9.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H