Attackers may spoof IP address when using proxy

High

MGatner published GHSA-ghw3-5qvm-3mqc

Dec 22, 2022

Package

codeigniter4/framework (Composer)

Affected versions

< 4.2.11

Patched versions

4.2.11

Description

Impact

This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.

Patches

Upgrade to v4.2.11 or later, and configure Config\App::$proxyIPs.

Workarounds

Do not use $request->getIPAddress().

References

https://codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter\HTTP\Request::getIPAddress

For more information

If you have any questions or comments about this advisory:

Open an issue in codeigniter4/CodeIgniter4
Email us at SECURITY.md

Severity

High

7.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L