Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2022-34914
Analyzed
More InfoOfficial Page
Source-cve@mitre.org
View Known Exploited Vulnerability (KEV) details
Published At-08 Jul, 2022 | 19:15
Updated At-16 Jul, 2022 | 01:34

Webswing before 22.1.3 allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page. The {clientIp} variable can be used as an application startup argument. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. Systems that do not use the clientIP variable in the configuration are not vulnerable. The vulnerability is fixed in these versions: 20.1.16, 20.2.19, 21.1.8, 21.2.12, and 22.1.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches
webswing
webswing
>>webswing>>Versions before 20.1.16(exclusive)
cpe:2.3:a:webswing:webswing:*:*:*:*:-:*:*:*
webswing
webswing
>>webswing>>Versions from 20.2(inclusive) to 20.2.19(exclusive)
cpe:2.3:a:webswing:webswing:*:*:*:*:-:*:*:*
webswing
webswing
>>webswing>>Versions from 21.1.0(inclusive) to 21.1.8(exclusive)
cpe:2.3:a:webswing:webswing:*:*:*:*:-:*:*:*
webswing
webswing
>>webswing>>Versions from 21.2.0(inclusive) to 21.2.12(exclusive)
cpe:2.3:a:webswing:webswing:*:*:*:*:-:*:*:*
webswing
webswing
>>webswing>>Versions from 22.1.0(inclusive) to 22.1.3(exclusive)
cpe:2.3:a:webswing:webswing:*:*:*:*:-:*:*:*
Weaknesses
CWE IDTypeSource
CWE-74Primarynvd@nist.gov
CWE ID: CWE-74
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.webswing.org/blog/header-injection-vulnerability-cve-2022-34914cve@mitre.org
Vendor Advisory
https://www.webswing.org/docs/20.1/faq/client_ip.htmlcve@mitre.org
Vendor Advisory
Hyperlink: https://www.webswing.org/blog/header-injection-vulnerability-cve-2022-34914
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://www.webswing.org/docs/20.1/faq/client_ip.html
Source: cve@mitre.org
Resource:
Vendor Advisory
Change History
0Changes found
Details not found