CVEbaza.plSłownik CWECWE-348
Common Weakness Enumeration

CWE-348

Use of Less Trusted Source

Kategoria: BaseCVE: 54
Opis

Produkt posiada dwa różne źródła tych samych danych lub informacji, ale wykorzystuje źródło o mniejszym wsparciu dla weryfikacji, mniej zaufane lub mniej odporne na ataki. Powoduje to potencjalne zagrożenie dla bezpieczeństwa i niezawodności systemu.

Description (EN)

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Podatności CVE z CWE-348 (54)
10.0
CVSS
CRITICAL
CVE-2026-48772

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>\r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session's `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = '*'` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.

pub. 2026-06-19
9.8
CVSS
CRITICAL
CVE-2026-44183

Podatność w narzędziu Cleanuparr pozwala nieuwierzytelnionemu atakującemu zdalnie ominąć mechanizm uwierzytelnienia oparty na zaufanej sieci i uzyskać dostęp administracyjny. Wynika to z błędnego parsowania nagłówka X-Forwarded-For, który może być w pełni kontrolowany przez atakującego.

pub. 2026-05-12
9.8
CVSS
CRITICAL
CVE-2024-45410

W Traefik, popularnym reverse proxy dla środowisk Cloud Native, wykryto podatność umożliwiającą atakującemu zdalne usunięcie lub modyfikację krytycznych nagłówków HTTP (np. X-Forwarded-Host, X-Forwarded-Port) dodawanych przez proxy przed przekazaniem żądania do aplikacji. Jest to groźne, ponieważ aplikacje backendowe ufają wartościom tych nagłówków, co może prowadzić do poważnych naruszeń bezpieczeństwa.

pub. 2024-09-19
9.8
CVSS
CRITICAL
CVE-2022-31813

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

pub. 2022-06-09
9.2
CVSS
CRITICAL
CVE-2025-59951

W oficjalnym obrazie Docker platformy Termix (wersje 1.5.0 i wcześniejsze) błędna konfiguracja reverse proxy Nginx powoduje, że mechanizm weryfikacji lokalności adresu IP zawsze zwraca wartość True, umożliwiając nieautoryzowany dostęp do wrażliwych danych. Skutkuje to pełną ekspozycją przechowywanych danych uwierzytelniających SSH (adresów, nazw użytkowników i haseł) bez jakiegokolwiek logowania.

pub. 2025-10-01
9.1
CVSS
CRITICAL
CVE-2025-48865

Podatność w routerze Fabio pozwala nieuwierzytelnionym klientom HTTP na usuwanie lub manipulowanie nagłówkami X-Forwarded (np. X-Forwarded-Host, X-Forwarded-Port), które aplikacje backendowe traktują jako zaufane. Stanowi to poważne zagrożenie dla integralności i bezpieczeństwa aplikacji korzystających z tych nagłówków do podejmowania decyzji autoryzacyjnych lub routingowych.

pub. 2025-05-30
9.0
CVSS
CRITICAL
CVE-2026-12249

ADSys w wersjach do v0.16.2 pobiera certyfikat CA z serwera Active Directory Certificate Services przez niezaszyfrowane połączenie HTTP, co umożliwia atakującemu przeprowadzenie ataku Man-in-the-Middle. Skutkiem jest zatrucie systemowego magazynu zaufanych certyfikatów, które pozwala na trwałe podsłuchiwanie i deszyfrowanie ruchu TLS na zaatakowanej maszynie.

pub. 2026-06-22
8.8
CVSS
HIGH
CVE-2024-27773

Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-348: Use of Less Trusted Source may allow RCE

pub. 2024-03-18
8.7
CVSS
HIGH
CVE-2026-43634

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

pub. 2026-05-19
8.7
CVSS
HIGH
CVE-2026-35391

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to bypass IP-based rate limiting (enabling brute-force attacks against the admin login) or forge audit log entries (making malicious activity appear to originate from arbitrary IP addresses). This vulnerability is fixed in 1.4.11.

pub. 2026-04-06
8.2
CVSS
HIGH
CVE-2025-55292

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn't provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5.

pub. 2026-01-28
8.1
CVSS
HIGH
CVE-2024-47880

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.

pub. 2024-10-24
8.1
CVSS
HIGH
CVE-2021-21374

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

pub. 2021-03-26
7.5
CVSS
HIGH
CVE-2025-69240

Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account. This issue was fixed in version 1.4.6.

pub. 2026-03-16
7.5
CVSS
HIGH
CVE-2024-23105

A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.

pub. 2024-05-14
7.5
CVSS
HIGH
CVE-2022-2255

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

pub. 2022-08-25
7.5
CVSS
HIGH
CVE-2021-21373

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.

pub. 2021-03-26
7.1
CVSS
HIGH
CVE-2025-47424

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

pub. 2025-05-09
6.9
CVSS
MEDIUM
CVE-2026-57942

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.

pub. 2026-06-29
6.9
CVSS
MEDIUM
CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls.

pub. 2026-03-13
Pokazano 20 z 54 podatności
Informacje
ID: CWE-348
Typ: Base
Podatności: 54
MITRE CWE ↗
← Słownik CWE