Miggo Logo
Miggo Vulnerability Database
CVE-2020-13485

CVE-2020-13485: Knock Knock plugin IP Whitelist bypass via an X-Forwarded-For HTTP header

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13485
GHSA ID
GHSA-wxvr-qqm7-6h65
EPSS Score
0.53403%
CWE
CWE-697
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/knock-knockcomposer< 1.2.81.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper IP comparison (CWE-697) where the plugin trusted the X-Forwarded-For header without validation(). The changelog for 1.2.8 explicitly mentions fixing IP fetching to prevent header spoofing, indicating the whitelist check previously relied on untrusted headers. The service class handling access control (KnockKnockService) would contain the IP validation logic, making checkWhitelist the most likely vulnerable function. The high confidence comes from the direct correlation between the vulnerability description, CWE type, and the patch's focus on IP source correction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Kno*k Kno*k plu*in ***or* *.*.* *or *r**t *MS *llows IP W*it*list *yp*ss vi* *n X-*orw*r***-*or *TTP *****r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r IP *omp*rison (*W*-***) w**r* t** plu*in trust** t** X-*orw*r***-*or *****r wit*out `v*li**tion()`. T** ***n**lo* *or *.*.* *xpli*itly m*ntions *ixin* IP **t**in* to pr*v*nt *****r spoo*in*, in*i**tin* t** w*it*l