CVE-2022-34914

Name of the Vulnerable Software and Affected Versions Webswing versions prior to 20.1.16 Webswing versions prior to 20.2.19 Webswing versions prior to 21.1.8 Webswing versions prior to 21.2.12 Webswing versions prior to 22.1.3

Description The issue allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page, specifically the {clientIp} variable, which can be used as an application startup argument. This variable can be manipulated by a client to store an arbitrary value, allowing the injection of multiple arguments into the session startup without sanitization. Systems not using the clientIP variable in the configuration are not affected.

Recommendations For Webswing versions prior to 20.1.16, update to version 20.1.16 or later. For Webswing versions prior to 20.2.19, update to version 20.2.19 or later. For Webswing versions prior to 21.1.8, update to version 21.1.8 or later. For Webswing versions prior to 21.2.12, update to version 21.2.12 or later. For Webswing versions prior to 22.1.3, update to version 22.1.3 or later. As a temporary workaround, consider restricting the use of the {clientIp} variable in the configuration page to minimize the risk of exploitation.