Vulnerability Description
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Caddyserver | Caddy | <= 0.6.0 |
Related Weaknesses (CWE)
References
- https://caddyserver.com/v2Broken Link
- https://github.com/shift72/caddy-geo-ip/issues/4Third Party Advisory
- https://github.com/shift72/caddy-geo-ip/tagsRelease Notes
- https://caddyserver.com/v2Broken Link
- https://github.com/shift72/caddy-geo-ip/issues/4Third Party Advisory
- https://github.com/shift72/caddy-geo-ip/tagsRelease Notes
FAQ
What is CVE-2023-50463?
CVE-2023-50463 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may...
How severe is CVE-2023-50463?
CVE-2023-50463 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-50463?
Check the references section above for vendor advisories and patch information. Affected products include: Caddyserver Caddy.