Homepage
About Snyk

Authentication Bypass by Spoofing Affecting pretix package, versions [3.0.0,4.20.2.post1) [2023.6.0,2023.6.1) [2023.7.0,2023.7.1)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.11% (45th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-PRETIX-5927098
  • published 5 Oct 2023
  • disclosed 2 Oct 2023
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 2 Oct 2023

CVE-2023-44463 Open this link in a new tab
CWE-290 Open this link in a new tab

How to fix?

Upgrade pretix to version 4.20.2.post1, 2023.6.1, 2023.7.1 or higher.

Overview

pretix is a Reinventing presales, one ticket at a time

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing due to the incorrect parsing of configuration files. An attacker can spoof IP addresses by manipulating unchecked X-Forwarded-For headers.

Note:

This vulnerability is exploitable only if a reverse proxy config is used that allows the user to set these headers themselves and the config flags have been turned off explicitly.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
4.8 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

5.3 medium