X-Forwarded-For header allows brute-forcing autoblocked IP addresses
Critical severity
GitHub Reviewed
Published
Mar 31, 2023
to the GitHub Advisory Database
•
Updated Feb 18, 2025
Package
Affected versions
>= 1.39.0, < 1.39.3
>= 1.38.0, < 1.38.6
< 1.35.10
Patched versions
1.39.3
1.38.6
1.35.10
Description
Published by the National Vulnerability Database
Mar 31, 2023
Published to the GitHub Advisory Database
Mar 31, 2023
Reviewed
Nov 1, 2024
Last updated
Feb 18, 2025
An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.x before 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for an untrusted X-Forwarded-For header.
References