Miggo Logo
Miggo Vulnerability Database
CVE-2023-37265

CVE-2023-37265: CasaOS Gateway vulnerable to incorrect identification of source IP addresses

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-37265
GHSA ID
GHSA-vjh7-5r6x-xh6g
EPSS Score
0.99671%
CWE
CWE-306
Published
7/17/2023
Updated
12/12/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/IceWhaleTech/CasaOS-Gatewaygo< 0.4.40.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper IP validation in the request handling flow. The pre-patch code in gateway_route.go's GetRoute handler forwarded requests without sanitizing X-Forwarded-For headers. This allowed attackers to manipulate their perceived IP address to bypass authentication middleware (like ExceptLocalhost) that skipped JWT validation for localhost requests. The critical missing element was the rewriteRequestSourceIP() function added in the patch, which properly sanitizes headers and validates the remote IP before trusting X-Forwarded-For values. The anonymous handler function in GetRoute is identified as the vulnerable entry point because it directly handled incoming requests without these protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Un*ut**nti**t** *tt**k*rs **n *x**ut* *r*itr*ry *omm*n*s *s `root` on **s*OS inst*n**s. ### P*t***s T** pro*l*m w*s ***r*ss** *y improvin* t** **t**tion o* *li*nt IP ***r*ss*s in *******. T*is p*t** is p*rt o* **s*OS *.*.*. ### Work*ro

Reasoning

T** vuln*r**ility st*mm** *rom improp*r IP v*li**tion in t** r*qu*st **n*lin* *low. T** pr*-p*t** *o** in `**t*w*y_rout*.*o`'s `**tRout*` **n*l*r *orw*r*** r*qu*sts wit*out s*nitizin* X-*orw*r***-*or *****rs. T*is *llow** *tt**k*rs to m*nipul*t* t**i