Vulnerability Description
CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codeigniter | Codeigniter | >= 4.0.0, < 4.2.11 |
Related Weaknesses (CWE)
References
- https://github.com/codeigniter4/CodeIgniter4/commit/5ca8c99b2db09a2a08a013836628PatchThird Party Advisory
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-ExploitThird Party Advisory
- https://github.com/codeigniter4/CodeIgniter4/commit/5ca8c99b2db09a2a08a013836628PatchThird Party Advisory
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-ExploitThird Party Advisory
FAQ
What is CVE-2022-23556?
CVE-2022-23556 is a vulnerability with a CVSS score of 7.0 (HIGH). CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade t...
How severe is CVE-2022-23556?
CVE-2022-23556 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23556?
Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter.