GSA_kwCzR0hTQS01eDVxLWNxZjYtZ2o4cs4AA_CL

Moderate CVSS: 6.9 EPSS: 0.0038% (0.58771 Percentile) EPSS:

Permalink JSON

Serilog Client IP Spoofing vulnerability

Affected Packages	Affected Versions	Fixed Versions
nuget:Serilog.Enrichers.ClientInfo PURL: `pkg:nuget/Serilog.Enrichers.ClientInfo`	< 2.1.0	2.1.0
38 Dependent packages 0 Dependent repositories 22,925,731 Downloads total Affected Version Ranges All affected versions 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.4-dev01, 1.2.0, 1.3.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3 All unaffected versions 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0

Serilog (before v2.1.0) contains a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses in log files by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.

It is not possible to configure Serilog.Enrichers.ClientInfo to not trust the X-Forwarded-For header.

References:

Identifiers

GHSA-5x5q-cqf6-gj8r

CVE-2024-44930

Risk

Severity

Moderate

CVSS

CVSS Score: 6.9

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.0038

EPSS Percentile: 0.58771

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/serilog-contrib/serilog-enrichers-clientinfo

Date and time

Published

over 1 year ago

Updated

21 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories