Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-41338
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-08 Sep, 2023 | 19:15
Updated At-12 Sep, 2023 | 19:12

Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
gofiber
gofiber
>>fiber>>Versions before 2.49.2(exclusive)
cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-670Primarysecurity-advisories@github.com
CWE ID: CWE-670
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Forsecurity-advisories@github.com
Technical Description
https://docs.gofiber.io/api/ctx#isfromlocalsecurity-advisories@github.com
Product
https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dcsecurity-advisories@github.com
Patch
https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364fsecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
Source: security-advisories@github.com
Resource:
Technical Description
Hyperlink: https://docs.gofiber.io/api/ctx#isfromlocal
Source: security-advisories@github.com
Resource:
Product
Hyperlink: https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f
Source: security-advisories@github.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found