CVE-2023-44463 — pretix potential IP address spoofing vulnerability

Description

An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.

How to fix CVE-2023-44463

To remediate CVE-2023-44463, upgrade the affected package to a fixed version below.

—upgrade to 2023.7.1 or later
—upgrade to ccdce2ccb8207b82501af3c03f50abc0f819b469 or later

Is CVE-2023-44463 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2023.7.1
from 0, < ccdce2ccb8207b82501af3c03f50abc0f819b469 | from 0, < 2023.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (10)

ADVISORYgithub.com/advisories/GHSA-j9gq-w73w-9h6c
ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-44463
ADVISORYpretix.eu/about/en/blog/20230911-release-2023-7-1/
WEBgithub.com/pretix/pretix
WEB